Consult   Small Artemis   Donate   Small Artemis   Endpoint   Small Artemis   F.A.Q.   Small Artemis   Privacy   Small Artemis   Sales   Small Artemis   Status   Small Artemis   T.O.S.   Small Artemis   Contact   Small Artemis   Boring background Dark background OG background Cyber background

Black Cat White Hat Security

BCWHSendpoint 1.3

BCWHSendpointIR 1.0

Windows Endpoint Protection

PowerShell for Endpoint Security. These commands will close up some endpoint issues that are defined in Microsoft's Secure Score and other Windows security products. You can download them all using BCWHSendpoint 1.3.

PowerShell - BCWHSendpoint 1.3

The install and use of the BCWHSendpoint is pretty straight forward. Open Windows PowerShell with Administrative access and copy and paste the commands below. Each function is listed below with more information.

BCWHSendpoint 1.3 Installation

Install-PackageProvider -Name NuGet -RequiredVersion 2.8.5.201 -Force;
Import-PackageProvider -Name NuGet -RequiredVersion 2.8.5.201;
 
Install-Module -Name BCWHSendpoint -RequiredVersion 1.3 -Force;
Import-Module -Name BCWHSendpoint -RequiredVersion 1.3;

The module can be found at PowerShell Gallery


A majority of these controls are low impact and shouldn't disrupt your workflow however, caution is advised depending on your setup.

To enable all modules: BCWHSallOn
 
To revert all modules: BCWHSallOff

1) Block outdated ActiveX controls for Internet Explorer

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext" -Name 'VersionCheckEnabled' -Value 1;

 
BCWHSendpoint 1.3: BCWHSmod1On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext" -Name 'VersionCheckEnabled' -Value 0;

BCWHSendpoint 1.3: BCWHSmod1Off
 

2) Disable 'Autoplay for non-volume devices'

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoAutoplayfornonVolume' -Value 1;
New-Item -Path "HKLM:\Software\Policies\Microsoft\Windows" -Name 'Explorer' -Force;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Explorer" -Name 'NoAutoplayfornonVolume' -Value 1;

 
BCWHSendpoint 1.3: BCWHSmod2On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoAutoplayfornonVolume' -Value 0;
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Explorer" -Name 'NoAutoplayfornonVolume' -Value 0;

BCWHSendpoint 1.3: BCWHSmod2Off
 

3) Disable 'Autoplay' for all drives

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoDriveTypeAutoRun' -Value 255;

 
BCWHSendpoint 1.3: BCWHSmod3On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoDriveTypeAutoRun' -Value 0;

BCWHSendpoint 1.3: BCWHSmod3Off
 

4) Disable 'Continue running background apps when Google Chrome is closed'

Set
New-Item -Path "HKLM:\Software\Policies" -Name 'Google' -Force;
New-Item -Path "HKLM:\Software\Policies\Google" -Name 'Chrome' -Force;
New-ItemProperty -Path "HKLM:\Software\Policies\Google\Chrome" -Name 'BackgroundModeEnabled' -Value 0;

 
BCWHSendpoint 1.3: BCWHSmod4On
 
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Google\Chrome" -Name 'BackgroundModeEnabled' -Value 1;

BCWHSendpoint 1.3: BCWHSmod4Off
 

5) Disable 'Enumerate administrator accounts on elevation'

Set
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies" -Name 'CredUI' -Force;
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" -Name 'EnumerateAdministrators' -Value 0;

 
BCWHSendpoint 1.3: BCWHSmod5On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" -Name 'EnumerateAdministrators' -Value 1;

BCWHSendpoint 1.3: BCWHSmod5Off
 

6) Disable 'Password Manager'

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge\" -Name "PasswordManagerEnabled" -Value 0;

 
BCWHSendpoint 1.3: BCWHSmod28On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge\" -Name "PasswordManagerEnabled" -Value 1;

BCWHSendpoint 1.3: BCWHSmod28Off
 

7) Disable Anonymous enumeration of shares

Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name 'RestrictAnonymous' -Value 1;

 
BCWHSendpoint 1.3: BCWHSmod6On
 
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name 'RestrictAnonymous' -Value 0;

BCWHSendpoint 1.3: BCWHSmod6Off
 

8) Disable Insecure guest logons in SMB

Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\" -Name "AllowInsecureGuestLogons" -Value 0;

 
BCWHSendpoint 1.3: BCWHSmod39On
 
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\" -Name "AllowInsecureGuestLogons" -Value 1;

BCWHSendpoint 1.3: BCWHSmod39Off
 

9) Disable Installation and configuration of Network Bridge on your DNS domain network

Set
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Network Connections\" -Name "NC_AllowNetBridge_NLA" -Value 0;

 
BCWHSendpoint 1.3: BCWHSmod30On
 
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Network Connections\" -Name "NC_AllowNetBridge_NLA" -Value 1;

BCWHSendpoint 1.3: BCWHSmod30Off
 

10) Disable IP Source routing

Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" -Name 'DisableIPSourceRouting' -Value 2;

 
BCWHSendpoint 1.3: BCWHSmod7On
 
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" -Name 'DisableIPSourceRouting' -Value 0;

BCWHSendpoint 1.3: BCWHSmod7Off
 

11) Disable JavaScript/Flash on Adobe Reader DC

Set
New-Item -Path "HKLM:\SOFTWARE\Policies\Adobe\" -Name 'Acrobat Reader' -Force;
New-Item -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader" -Name 'DC' -Force;
New-Item -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC" -Name 'FeatureLockDown' -Force;
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name 'bDisableJavaScript' -Value 1;
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name 'bEnableFlash' -Value 1;

 
BCWHSendpoint 1.3: BCWHSmod8On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name 'bDisableJavaScript' -Value 0;
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name 'bEnableFlash' -Value 0;

BCWHSendpoint 1.3: BCWHSmod8Off
 

12) Disable Microsoft Defender Firewall notifications when programs are blocked for Domain/Public/Private profile

Set
New-Item -Path "HKLM:\Software\Policies\Microsoft" -Name 'WindowsFirewall' -Force;
New-Item -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall" -Name 'DomainProfile' -Force;
New-Item -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall" -Name 'PrivateProfile' -Force;
New-Item -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall" -Name 'PublicProfile' -Force;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name 'DisableNotifications' -Value 1;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" -Name 'DisableNotifications' -Value 1;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" -Name 'DisableNotifications' -Value 1;

 
BCWHSendpoint 1.3: BCWHSmod9On
 
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name 'DisableNotifications' -Value 0;
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" -Name 'DisableNotifications' -Value 0;
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" -Name 'DisableNotifications' -Value 0;

BCWHSendpoint 1.3: BCWHSmod9Off
 

13) Disable running or installing downloaded software with invalid signature

Set
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\" -Name 'Internet Explorer' -Force;
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer" -Name 'Download' -Force;
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Download\" -Name 'RunInvalidSignatures' -Value 0;

 
BCWHSendpoint 1.3: BCWHSmod10On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Download\" -Name 'RunInvalidSignatures' -Value 1;

BCWHSendpoint 1.3: BCWHSmod10Off
 

14) Disable sending unencrypted password to third-party SMB servers

Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" -Name "SealSecureChannel" -Value 1;

 
BCWHSendpoint 1.3: BCWHSmod42On
 
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" -Name "SealSecureChannel" -Value 0;

BCWHSendpoint 1.3: BCWHSmod42Off
 

15) Disable SMBv1 client driver

Set
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart;

 
BCWHSendpoint 1.3: BCWHSmod40On
 
Revert
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart;

BCWHSendpoint 1.3: BCWHSmod40Off
 

16) Disable SMBv1 server

Set
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force;

 
BCWHSendpoint 1.3: BCWHSmod41On
 
Revert
Set-SmbServerConfiguration -EnableSMB1Protocol $true -Force;

BCWHSendpoint 1.3: BCWHSmod41Off
 

17) Disable the local storage of passwords and credentials

Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DisableDomainCreds" -Value 1;

 
BCWHSendpoint 1.3: BCWHSmod31On
 
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DisableDomainCreds" -Value 0;

BCWHSendpoint 1.3: BCWHSmod31Off
 

18) Disable WDigest Authentication

Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\" -Name "UseLogonCredential" -Value 0;

 
BCWHSendpoint 1.3: BCWHSmod43On
 
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\" -Name "UseLogonCredential" -Value 1;

BCWHSendpoint 1.3: BCWHSmod43Off
 

19) Enable 'Apply UAC restrictions to local accounts on network logons'

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name 'LocalAccountTokenFilterPolicy' -Value 0;

 
BCWHSendpoint 1.3: BCWHSmod11On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name 'LocalAccountTokenFilterPolicy' -Value 1;

BCWHSendpoint 1.3: BCWHSmod11Off
 

20) Enable 'Block third party cookies'

Set
New-ItemProperty -Path "HKLM:\Software\Policies\Google\Chrome" -Name 'BlockThirdPartyCookies' -Value 1;

 
BCWHSendpoint 1.3: BCWHSmod12On
 
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Google\Chrome" -Name 'BlockThirdPartyCookies' -Value 0;

BCWHSendpoint 1.3: BCWHSmod12Off
 

21) Enable 'Microsoft network client: Digitally sign communications (always)'

Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name 'RequireSecuritySignature' -Value 1;

 
BCWHSendpoint 1.3: BCWHSmod13On
 
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name 'RequireSecuritySignature' -Value 0;

BCWHSendpoint 1.3: BCWHSmod13Off
 

22) Enable Domain member: Digitally encrypt or sign secure channel data (always)

Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" -Name "RequireSignOrSeal" -Value 1;

 
BCWHSendpoint 1.3: BCWHSmod45On
 
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" -Name "RequireSignOrSeal" -Value 0;

BCWHSendpoint 1.3: BCWHSmod45Off
 

23) Enable Domain member: Digitally sign secure channel data (when possible)

Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" -Name "SignSecureChannel" -Value 1;

 
BCWHSendpoint 1.3: BCWHSmod44On
 
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" -Name "SignSecureChannel" -Value 0;

BCWHSendpoint 1.3: BCWHSmod44Off
 

24) Enable Microsoft Defender Antivirus Email Scanning

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" -Name 'DisableEmailScanning' -Value 0;

 
BCWHSendpoint 1.3: BCWHSmod14On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" -Name 'DisableEmailScanning' -Value 1
BCWHSendpoint 1.3: BCWHSmod14Off
 

25) Enable Network Protection

Set
Set-MpPreference -EnableNetworkProtection Enabled;

 
BCWHSendpoint 1.3: BCWHSmod38On
 
Revert
Set-MpPreference -EnableNetworkProtection Disabled;

BCWHSendpoint 1.3: BCWHSmod38Off
 

26) Enable Require domain users to elevate when setting a networks location

Set
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Network Connections\" -Name "NC_StdDomainUserSetLocation" -Value 1;

 
BCWHSendpoint 1.3: BCWHSmod32On
 
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Network Connections\" -Name "NC_StdDomainUserSetLocation" -Value 0;

BCWHSendpoint 1.3: BCWHSmod32Off
 

27) Enable Safe DLL Search Mode

Set
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager\" -Name "SafeDllSearchMode" -Value 1;

 
BCWHSendpoint 1.3: BCWHSmod37On
 
Revert
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager\" -Name "SafeDllSearchMode" -Value 0;

BCWHSendpoint 1.3: BCWHSmod37Off
 

28) Enable scanning of removable drives during a full scan

Set
New-Item -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name 'Scan' -Force;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender\Scan" -Name 'DisableRemovableDriveScanning' -Value 0;

 
BCWHSendpoint 1.3: BCWHSmod15On
 
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender\Scan" -Name 'DisableRemovableDriveScanning' -Value 1;

BCWHSendpoint 1.3: BCWHSmod15Off
 

29) Hide Option & Enable Automatic Updates

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\cloud\office\16.0\common\officeupdate" -Name 'enableautomaticupdates' -Value 1;
New-Item -Path "HKLM:\SOFTWARE\policies\Microsoft" -Name 'Office' -Force;
New-Item -Path "HKLM:\SOFTWARE\policies\Microsoft\Office" -Name '16.0' -Force;
New-Item -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0" -Name 'Common' -Force;
New-Item -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common" -Name 'Officeupdate' -Force;
New-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common\Officeupdate" -Name 'hideenabledisableupdates' -Value 1;
New-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common\Officeupdate" -Name 'enableautomaticupdates' -Value 1;

 
BCWHSendpoint 1.3: BCWHSmod16On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\cloud\office\16.0\common\officeupdate" -Name 'enableautomaticupdates' -Value 0;
Set-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common\Officeupdate" -Name 'hideenabledisableupdates' -Value 0;
Set-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common\Officeupdate" -Name 'enableautomaticupdates' -Value 0;

BCWHSendpoint 1.3: BCWHSmod16Off
 

30) Prohibit use of Internet Connection Sharing on your DNS domain network

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" -Name 'NC_ShowSharedAccessUI' -Value 0;

 
BCWHSendpoint 1.3: BCWHSmod17On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" -Name 'NC_ShowSharedAccessUI' -Value 1;

BCWHSendpoint 1.3: BCWHSmod17Off
 

31) Secure Microsoft Defender Firewall domain profile

Set
Set-NetFirewallProfile -Profile Domain -Enabled True;

 
BCWHSendpoint 1.3: BCWHSmod34On
 
Revert
Set-NetFirewallProfile -Profile Domain -Enabled False;

BCWHSendpoint 1.3: BCWHSmod34Off
 

32) Secure Microsoft Defender firewall private profile

Set
Set-NetFirewallProfile -Profile Private -Enabled True;

 
BCWHSendpoint 1.3: BCWHSmod36On
 
Revert
Set-NetFirewallProfile -Profile Private -Enabled False;

BCWHSendpoint 1.3: BCWHSmod36Off
 

33) Secure Microsoft Defender Firewall public profile

Set
Set-NetFirewallProfile -Profile Public -Enabled True;

 
BCWHSendpoint 1.3: BCWHSmod35On
 
Revert
Set-NetFirewallProfile -Profile Public -Enabled False;

BCWHSendpoint 1.3: BCWHSmod35Off
 

34) Set 'Account lockout duration' to 15 minutes or more

Set
net accounts /lockoutduration:15
 
BCWHSendpoint 1.3: BCWHSmod18On
 
Revert
BCWHSendpoint 1.3: BCWHSmod18Off
 

35) Set 'Account lockout threshold' to 1-10 invalid login attempts

Set
net accounts /lockoutthreshold:10
 
BCWHSendpoint 1.3: BCWHSmod19On
 
Revert
BCWHSendpoint 1.3: BCWHSmod19Off
 

36) Set 'Enforce Password History' to '24 or more password(s)'

Set
net accounts /uniquepw:24
 
BCWHSendpoint 1.3: BCWHSmod20On
 
Revert
BCWHSendpoint 1.3: BCWHSmod20Off
 

37) Set 'Interactive logon: Machine inactivity limit' to '1-900 seconds'

Set
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name 'InactivityTimeoutSecs' -PropertyType DWORD -Value 0x00000384 -Force
 
BCWHSendpoint 1.3: BCWHSmod21On
 
Revert
BCWHSendpoint 1.3: BCWHSmod21Off
 

38) set 'Minimum Password Age' to '1 or more day(s)'

Set
net accounts /minpwage:1
 
BCWHSendpoint 1.3: BCWHSmod22On
 
Revert
BCWHSendpoint 1.3: BCWHSmod22Off
 

39) Set 'Reset account lockout counter after' to 15 minutes or more

Set
net accounts /lockoutwindow:15
 
BCWHSendpoint 1.3: BCWHSmod23On
 
Revert
BCWHSendpoint 1.3: BCWHSmod23Off
 

40) Set default behavior for 'AutoRun' to 'Enabled: Do not execute any autorun commands'

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoAutorun' -Value 1;

 
BCWHSendpoint 1.3: BCWHSmod24On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoAutorun' -Value 0;

BCWHSendpoint 1.3: BCWHSmod24Off
 

41) Set IPV6 source routing to highest protection

Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\" -Name 'DisableIPSourceRouting' -Value 2;

 
BCWHSendpoint 1.3: BCWHSmod25On
 
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\" -Name 'DisableIPSourceRouting' -Value 0;

BCWHSendpoint 1.3: BCWHSmod25Off
 

42) Set LAN Manager authentication level to 'Send NTLMv2 response only. Refuse LM & NTLM'

Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" -Name 'LmCompatibilityLevel' -Value 5;

 
BCWHSendpoint 1.3: BCWHSmod26On
 
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" -Name 'LmCompatibilityLevel' -Value 3;

BCWHSendpoint 1.3: BCWHSmod26Off
 

43) Set User Account Control (UAC) to automatically deny elevation requests

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name 'ConsentPromptBehaviorUser' -Value 0;

 
BCWHSendpoint 1.3: BCWHSmod27On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name 'ConsentPromptBehaviorUser' -Value 3;

BCWHSendpoint 1.3: BCWHSmod27Off
 

44) Set user authentication for remote connections by using Network Level Authentication to Enabled

Set
Set-NetworkLevelAuthentication -EnableNLA $true;

 
BCWHSendpoint 1.3: BCWHSmod29On
 
Revert
Set-NetworkLevelAuthentication -EnableNLA $false;

BCWHSendpoint 1.3: BCWHSmod29Off
 

45) Update Microsoft Defender Antivirus definitions

Set
Update-MpSignature;

 
BCWHSendpoint 1.3: BCWHSmod33On
 
Revert
BCWHSendpoint 1.3: BCWHSmod33Off
 

Windows Incident Response

PowerShell for Incident Response. These commands are a good start and will help you Threat Hunt and with Incident Response.

PowerShell - BCWHSendpointIR 1.0

The install and use of the BCWHSendpointIR is pretty straight forward. Open Windows PowerShell with Administrative access and copy and paste the commands below. Each function is listed below with more information.

BCWHSendpointIR 1.0 Installation

Install-PackageProvider -Name NuGet -RequiredVersion 2.8.5.201 -Force;
Import-PackageProvider -Name NuGet -RequiredVersion 2.8.5.201;
 
Install-Module -Name BCWHSendpointIR -RequiredVersion 1.0 -Force;
Import-Module -Name BCWHSendpointIR -RequiredVersion 1.0;

The module can be found at PowerShell Gallery

1) Check BitLocker Status

manage-bde -status
 
Turns on or turns off BitLocker, specifies unlock mechanisms, updates recovery methods, and unlocks BitLocker-protected data drives.
 
BCWHSendpointIR 1.0: BCWHScheckIRBLStatus
 

2) Check BitLocker Volume

Get-BitLockerVolume
 
Gets information about volumes that BitLocker can protect.
 
BCWHSendpointIR 1.0: BCWHScheckIRBLVolume
 

3) Check for malicious process

Get-Process | Sort-Object -Descending WS
 
Get-Process cmdlet can be used to get currently executing processes.
 
BCWHSendpointIR 1.0: BCWHScheckIRProcess
 

4) List Application Event Log Data

Get-EventLog -logName "Application" -newest 500 | Select MachineName,TimeGenerated,EntryType,Source,Message
 
The "Windows Logs" section contains (of note) the Application logs
 
BCWHSendpointIR 1.0: BCWHScheckIRAppLogs
 

5) List Logged In Users

Get-CimInstance –ClassName Win32_ComputerSystem
 
Gets the CIM instances of a class from a CIM server.
 
BCWHSendpointIR 1.0: BCWHScheckIRUsers
 

6) List of Recently Installed Software (Events)

Get-WinEvent -ProviderName msiinstaller | where id -eq 1033 | select timecreated,message | FL *
 
Gets events from event logs and event tracing log files on local and remote computers.
 
BCWHSendpointIR 1.0: BCWHScheckIRSoftware
 

7) List performance data

Get-Counter
 
The Get-Counter cmdlet gets performance counter data directly from the performance monitoring instrumentation in the Windows family of operating systems. Get-Counter gets performance data from a local computer or remote computers.
 
BCWHSendpointIR 1.0: BCWHScheckIRCounter
 

8) List Scheduled Tasks

Get-ScheduledTask
 
The Get-ScheduledTask cmdlet gets the task definition object of a scheduled task that is registered on a computer.
 
BCWHSendpointIR 1.0: BCWHScheckIRTasks
 

9) List Security Event Log Data

Get-EventLog -logName "Security" -newest 500 | Select MachineName,TimeGenerated,EntryType,Source,Message
 
The "Windows Logs" section contains (of note) the Security logs
 
BCWHSendpointIR 1.0: BCWHScheckIRSecurityLogs
 

10) List Services

Get-Service | Select-Object Name, DisplayName, Status, StartType
 
The Get-Service cmdlet gets objects that represent the services on a computer, including running and stopped services. By default, when Get-Service is run without parameters, all the local computer's services are returned.
 
BCWHSendpointIR 1.0: BCWHScheckIRServices
 

11) List System Event Log Data

Get-EventLog -logName "System" -newest 500 | Select MachineName,TimeGenerated,EntryType,Source,Message
 
The "Windows Logs" section contains (of note) the System logs
 
BCWHSendpointIR 1.0: BCWHScheckIRSystemLogs
 

12) List Users (Administrators)

Get-LocalGroupMember Administrators
 
The Get-LocalGroupMember cmdlet gets members from a local group.
 
BCWHSendpointIR 1.0: BCWHScheckIRListUsers
 

13) Network Activity

Get-NetTCPConnection | Select-Object creationtime, localaddress, localport, RemoteAddress, Remoteport
 
The Get-NetTCPConnection cmdlet gets current TCP connections. Use this cmdlet to view TCP connection properties such as local or remote IP address, local or remote port, and connection state.
 
BCWHSendpointIR 1.0: BCWHScheckIRNetwork
 

14) Terminate malicious process

Get-Process "process" | Stop-Process
 
Stop-Process can be used to terminate processes based on process name or process ID (PID).
 

© 2024 Black Cat White Hat Security L.L.C. - All rights reserved. - Application Version: 4D.65.6F.77