PowerShell for Endpoint Security. These commands will close up some endpoint issues that are defined in Microsoft's Secure Score and other Windows security products. You can download them all using BCWHSendpoint 1.3.
PowerShell - BCWHSendpoint 1.3
The install and use of the BCWHSendpoint is pretty straight forward.
Open Windows PowerShell with Administrative access and copy and paste the commands below.
Each function is listed below with more information.
BCWHSendpoint 1.3 Installation
Install-PackageProvider -Name NuGet -RequiredVersion 2.8.5.201 -Force;
Import-PackageProvider -Name NuGet -RequiredVersion 2.8.5.201;
Install-Module -Name BCWHSendpoint -RequiredVersion 1.3 -Force;
Import-Module -Name BCWHSendpoint -RequiredVersion 1.3;
The module can be found at PowerShell Gallery
A majority of these controls are low impact and shouldn't disrupt your workflow however, caution is advised depending on your setup.
To enable all modules: BCWHSallOn
To revert all modules: BCWHSallOff
1) Block outdated ActiveX controls for Internet Explorer
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext" -Name 'VersionCheckEnabled' -Value 1;
BCWHSendpoint 1.3: BCWHSmod1On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext" -Name 'VersionCheckEnabled' -Value 0;
BCWHSendpoint 1.3: BCWHSmod1Off
2) Disable 'Autoplay for non-volume devices'
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoAutoplayfornonVolume' -Value 1;
New-Item -Path "HKLM:\Software\Policies\Microsoft\Windows" -Name 'Explorer' -Force;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Explorer" -Name 'NoAutoplayfornonVolume' -Value 1;
BCWHSendpoint 1.3: BCWHSmod2On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoAutoplayfornonVolume' -Value 0;
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Explorer" -Name 'NoAutoplayfornonVolume' -Value 0;
BCWHSendpoint 1.3: BCWHSmod2Off
3) Disable 'Autoplay' for all drives
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoDriveTypeAutoRun' -Value 255;
BCWHSendpoint 1.3: BCWHSmod3On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoDriveTypeAutoRun' -Value 0;
BCWHSendpoint 1.3: BCWHSmod3Off
4) Disable 'Continue running background apps when Google Chrome is closed'
Set
New-Item -Path "HKLM:\Software\Policies" -Name 'Google' -Force;
New-Item -Path "HKLM:\Software\Policies\Google" -Name 'Chrome' -Force;
New-ItemProperty -Path "HKLM:\Software\Policies\Google\Chrome" -Name 'BackgroundModeEnabled' -Value 0;
BCWHSendpoint 1.3: BCWHSmod4On
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Google\Chrome" -Name 'BackgroundModeEnabled' -Value 1;
BCWHSendpoint 1.3: BCWHSmod4Off
5) Disable 'Enumerate administrator accounts on elevation'
Set
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies" -Name 'CredUI' -Force;
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" -Name 'EnumerateAdministrators' -Value 0;
BCWHSendpoint 1.3: BCWHSmod5On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" -Name 'EnumerateAdministrators' -Value 1;
BCWHSendpoint 1.3: BCWHSmod5Off
6) Disable 'Password Manager'
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge\" -Name "PasswordManagerEnabled" -Value 0;
BCWHSendpoint 1.3: BCWHSmod28On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge\" -Name "PasswordManagerEnabled" -Value 1;
BCWHSendpoint 1.3: BCWHSmod28Off
7) Disable Anonymous enumeration of shares
Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name 'RestrictAnonymous' -Value 1;
BCWHSendpoint 1.3: BCWHSmod6On
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name 'RestrictAnonymous' -Value 0;
BCWHSendpoint 1.3: BCWHSmod6Off
8) Disable Insecure guest logons in SMB
Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\" -Name "AllowInsecureGuestLogons" -Value 0;
BCWHSendpoint 1.3: BCWHSmod39On
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\" -Name "AllowInsecureGuestLogons" -Value 1;
BCWHSendpoint 1.3: BCWHSmod39Off
9) Disable Installation and configuration of Network Bridge on your DNS domain network
Set
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Network Connections\" -Name "NC_AllowNetBridge_NLA" -Value 0;
BCWHSendpoint 1.3: BCWHSmod30On
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Network Connections\" -Name "NC_AllowNetBridge_NLA" -Value 1;
BCWHSendpoint 1.3: BCWHSmod30Off
10) Disable IP Source routing
Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" -Name 'DisableIPSourceRouting' -Value 2;
BCWHSendpoint 1.3: BCWHSmod7On
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" -Name 'DisableIPSourceRouting' -Value 0;
BCWHSendpoint 1.3: BCWHSmod7Off
11) Disable JavaScript/Flash on Adobe Reader DC
Set
New-Item -Path "HKLM:\SOFTWARE\Policies\Adobe\" -Name 'Acrobat Reader' -Force;
New-Item -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader" -Name 'DC' -Force;
New-Item -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC" -Name 'FeatureLockDown' -Force;
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name 'bDisableJavaScript' -Value 1;
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name 'bEnableFlash' -Value 1;
BCWHSendpoint 1.3: BCWHSmod8On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name 'bDisableJavaScript' -Value 0;
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name 'bEnableFlash' -Value 0;
BCWHSendpoint 1.3: BCWHSmod8Off
12) Disable Microsoft Defender Firewall notifications when programs are blocked for Domain/Public/Private profile
Set
New-Item -Path "HKLM:\Software\Policies\Microsoft" -Name 'WindowsFirewall' -Force;
New-Item -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall" -Name 'DomainProfile' -Force;
New-Item -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall" -Name 'PrivateProfile' -Force;
New-Item -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall" -Name 'PublicProfile' -Force;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name 'DisableNotifications' -Value 1;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" -Name 'DisableNotifications' -Value 1;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" -Name 'DisableNotifications' -Value 1;
BCWHSendpoint 1.3: BCWHSmod9On
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name 'DisableNotifications' -Value 0;
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" -Name 'DisableNotifications' -Value 0;
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" -Name 'DisableNotifications' -Value 0;
BCWHSendpoint 1.3: BCWHSmod9Off
13) Disable running or installing downloaded software with invalid signature
Set
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\" -Name 'Internet Explorer' -Force;
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer" -Name 'Download' -Force;
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Download\" -Name 'RunInvalidSignatures' -Value 0;
BCWHSendpoint 1.3: BCWHSmod10On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Download\" -Name 'RunInvalidSignatures' -Value 1;
BCWHSendpoint 1.3: BCWHSmod10Off
14) Disable sending unencrypted password to third-party SMB servers
Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" -Name "SealSecureChannel" -Value 1;
BCWHSendpoint 1.3: BCWHSmod42On
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" -Name "SealSecureChannel" -Value 0;
BCWHSendpoint 1.3: BCWHSmod42Off
15) Disable SMBv1 client driver
Set
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart;
BCWHSendpoint 1.3: BCWHSmod40On
Revert
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart;
BCWHSendpoint 1.3: BCWHSmod40Off
16) Disable SMBv1 server
Set
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force;
BCWHSendpoint 1.3: BCWHSmod41On
Revert
Set-SmbServerConfiguration -EnableSMB1Protocol $true -Force;
BCWHSendpoint 1.3: BCWHSmod41Off
17) Disable the local storage of passwords and credentials
Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DisableDomainCreds" -Value 1;
BCWHSendpoint 1.3: BCWHSmod31On
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DisableDomainCreds" -Value 0;
BCWHSendpoint 1.3: BCWHSmod31Off
18) Disable WDigest Authentication
Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\" -Name "UseLogonCredential" -Value 0;
BCWHSendpoint 1.3: BCWHSmod43On
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\" -Name "UseLogonCredential" -Value 1;
BCWHSendpoint 1.3: BCWHSmod43Off
19) Enable 'Apply UAC restrictions to local accounts on network logons'
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name 'LocalAccountTokenFilterPolicy' -Value 0;
BCWHSendpoint 1.3: BCWHSmod11On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name 'LocalAccountTokenFilterPolicy' -Value 1;
BCWHSendpoint 1.3: BCWHSmod11Off
20) Enable 'Block third party cookies'
Set
New-ItemProperty -Path "HKLM:\Software\Policies\Google\Chrome" -Name 'BlockThirdPartyCookies' -Value 1;
BCWHSendpoint 1.3: BCWHSmod12On
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Google\Chrome" -Name 'BlockThirdPartyCookies' -Value 0;
BCWHSendpoint 1.3: BCWHSmod12Off
21) Enable 'Microsoft network client: Digitally sign communications (always)'
Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name 'RequireSecuritySignature' -Value 1;
BCWHSendpoint 1.3: BCWHSmod13On
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name 'RequireSecuritySignature' -Value 0;
BCWHSendpoint 1.3: BCWHSmod13Off
22) Enable Domain member: Digitally encrypt or sign secure channel data (always)
Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" -Name "RequireSignOrSeal" -Value 1;
BCWHSendpoint 1.3: BCWHSmod45On
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" -Name "RequireSignOrSeal" -Value 0;
BCWHSendpoint 1.3: BCWHSmod45Off
23) Enable Domain member: Digitally sign secure channel data (when possible)
Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" -Name "SignSecureChannel" -Value 1;
BCWHSendpoint 1.3: BCWHSmod44On
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\" -Name "SignSecureChannel" -Value 0;
BCWHSendpoint 1.3: BCWHSmod44Off
24) Enable Microsoft Defender Antivirus Email Scanning
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" -Name 'DisableEmailScanning' -Value 0;
BCWHSendpoint 1.3: BCWHSmod14On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" -Name 'DisableEmailScanning' -Value 1
BCWHSendpoint 1.3: BCWHSmod14Off
25) Enable Network Protection
Set
Set-MpPreference -EnableNetworkProtection Enabled;
BCWHSendpoint 1.3: BCWHSmod38On
Revert
Set-MpPreference -EnableNetworkProtection Disabled;
BCWHSendpoint 1.3: BCWHSmod38Off
26) Enable Require domain users to elevate when setting a networks location
Set
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Network Connections\" -Name "NC_StdDomainUserSetLocation" -Value 1;
BCWHSendpoint 1.3: BCWHSmod32On
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Network Connections\" -Name "NC_StdDomainUserSetLocation" -Value 0;
BCWHSendpoint 1.3: BCWHSmod32Off
27) Enable Safe DLL Search Mode
Set
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager\" -Name "SafeDllSearchMode" -Value 1;
BCWHSendpoint 1.3: BCWHSmod37On
Revert
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager\" -Name "SafeDllSearchMode" -Value 0;
BCWHSendpoint 1.3: BCWHSmod37Off
28) Enable scanning of removable drives during a full scan
Set
New-Item -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name 'Scan' -Force;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender\Scan" -Name 'DisableRemovableDriveScanning' -Value 0;
BCWHSendpoint 1.3: BCWHSmod15On
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender\Scan" -Name 'DisableRemovableDriveScanning' -Value 1;
BCWHSendpoint 1.3: BCWHSmod15Off
29) Hide Option & Enable Automatic Updates
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\cloud\office\16.0\common\officeupdate" -Name 'enableautomaticupdates' -Value 1;
New-Item -Path "HKLM:\SOFTWARE\policies\Microsoft" -Name 'Office' -Force;
New-Item -Path "HKLM:\SOFTWARE\policies\Microsoft\Office" -Name '16.0' -Force;
New-Item -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0" -Name 'Common' -Force;
New-Item -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common" -Name 'Officeupdate' -Force;
New-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common\Officeupdate" -Name 'hideenabledisableupdates' -Value 1;
New-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common\Officeupdate" -Name 'enableautomaticupdates' -Value 1;
BCWHSendpoint 1.3: BCWHSmod16On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\cloud\office\16.0\common\officeupdate" -Name 'enableautomaticupdates' -Value 0;
Set-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common\Officeupdate" -Name 'hideenabledisableupdates' -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common\Officeupdate" -Name 'enableautomaticupdates' -Value 0;
BCWHSendpoint 1.3: BCWHSmod16Off
30) Prohibit use of Internet Connection Sharing on your DNS domain network
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" -Name 'NC_ShowSharedAccessUI' -Value 0;
BCWHSendpoint 1.3: BCWHSmod17On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" -Name 'NC_ShowSharedAccessUI' -Value 1;
BCWHSendpoint 1.3: BCWHSmod17Off
31) Secure Microsoft Defender Firewall domain profile
Set
Set-NetFirewallProfile -Profile Domain -Enabled True;
BCWHSendpoint 1.3: BCWHSmod34On
Revert
Set-NetFirewallProfile -Profile Domain -Enabled False;
BCWHSendpoint 1.3: BCWHSmod34Off
32) Secure Microsoft Defender firewall private profile
Set
Set-NetFirewallProfile -Profile Private -Enabled True;
BCWHSendpoint 1.3: BCWHSmod36On
Revert
Set-NetFirewallProfile -Profile Private -Enabled False;
BCWHSendpoint 1.3: BCWHSmod36Off
33) Secure Microsoft Defender Firewall public profile
Set
Set-NetFirewallProfile -Profile Public -Enabled True;
BCWHSendpoint 1.3: BCWHSmod35On
Revert
Set-NetFirewallProfile -Profile Public -Enabled False;
BCWHSendpoint 1.3: BCWHSmod35Off
34) Set 'Account lockout duration' to 15 minutes or more
Set
net accounts /lockoutduration:15
BCWHSendpoint 1.3: BCWHSmod18On
Revert
BCWHSendpoint 1.3: BCWHSmod18Off
35) Set 'Account lockout threshold' to 1-10 invalid login attempts
Set
net accounts /lockoutthreshold:10
BCWHSendpoint 1.3: BCWHSmod19On
Revert
BCWHSendpoint 1.3: BCWHSmod19Off
36) Set 'Enforce Password History' to '24 or more password(s)'
Set
net accounts /uniquepw:24
BCWHSendpoint 1.3: BCWHSmod20On
Revert
BCWHSendpoint 1.3: BCWHSmod20Off
37) Set 'Interactive logon: Machine inactivity limit' to '1-900 seconds'
Set
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name 'InactivityTimeoutSecs' -PropertyType DWORD -Value 0x00000384 -Force
BCWHSendpoint 1.3: BCWHSmod21On
Revert
BCWHSendpoint 1.3: BCWHSmod21Off
38) set 'Minimum Password Age' to '1 or more day(s)'
Set
net accounts /minpwage:1
BCWHSendpoint 1.3: BCWHSmod22On
Revert
BCWHSendpoint 1.3: BCWHSmod22Off
39) Set 'Reset account lockout counter after' to 15 minutes or more
Set
net accounts /lockoutwindow:15
BCWHSendpoint 1.3: BCWHSmod23On
Revert
BCWHSendpoint 1.3: BCWHSmod23Off
40) Set default behavior for 'AutoRun' to 'Enabled: Do not execute any autorun commands'
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoAutorun' -Value 1;
BCWHSendpoint 1.3: BCWHSmod24On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoAutorun' -Value 0;
BCWHSendpoint 1.3: BCWHSmod24Off
41) Set IPV6 source routing to highest protection
Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\" -Name 'DisableIPSourceRouting' -Value 2;
BCWHSendpoint 1.3: BCWHSmod25On
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\" -Name 'DisableIPSourceRouting' -Value 0;
BCWHSendpoint 1.3: BCWHSmod25Off
42) Set LAN Manager authentication level to 'Send NTLMv2 response only. Refuse LM & NTLM'
Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" -Name 'LmCompatibilityLevel' -Value 5;
BCWHSendpoint 1.3: BCWHSmod26On
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" -Name 'LmCompatibilityLevel' -Value 3;
BCWHSendpoint 1.3: BCWHSmod26Off
43) Set User Account Control (UAC) to automatically deny elevation requests
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name 'ConsentPromptBehaviorUser' -Value 0;
BCWHSendpoint 1.3: BCWHSmod27On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name 'ConsentPromptBehaviorUser' -Value 3;
BCWHSendpoint 1.3: BCWHSmod27Off
44) Set user authentication for remote connections by using Network Level Authentication to Enabled
Set
Set-NetworkLevelAuthentication -EnableNLA $true;
BCWHSendpoint 1.3: BCWHSmod29On
Revert
Set-NetworkLevelAuthentication -EnableNLA $false;
BCWHSendpoint 1.3: BCWHSmod29Off
45) Update Microsoft Defender Antivirus definitions
Set
Update-MpSignature;
BCWHSendpoint 1.3: BCWHSmod33On
Revert
BCWHSendpoint 1.3: BCWHSmod33Off
Windows Incident Response
PowerShell for Incident Response. These commands are a good start and will help you Threat Hunt and with Incident Response.
PowerShell - BCWHSendpointIR 1.0
The install and use of the BCWHSendpointIR is pretty straight forward.
Open Windows PowerShell with Administrative access and copy and paste the commands below.
Each function is listed below with more information.
BCWHSendpointIR 1.0 Installation
Install-PackageProvider -Name NuGet -RequiredVersion 2.8.5.201 -Force;
Import-PackageProvider -Name NuGet -RequiredVersion 2.8.5.201;
Install-Module -Name BCWHSendpointIR -RequiredVersion 1.0 -Force;
Import-Module -Name BCWHSendpointIR -RequiredVersion 1.0;
The module can be found at PowerShell Gallery
1) Check BitLocker Status
manage-bde -status
Turns on or turns off BitLocker, specifies unlock mechanisms, updates recovery methods, and unlocks BitLocker-protected data drives.
BCWHSendpointIR 1.0: BCWHScheckIRBLStatus
2) Check BitLocker Volume
Get-BitLockerVolume
Gets information about volumes that BitLocker can protect.
BCWHSendpointIR 1.0: BCWHScheckIRBLVolume
3) Check for malicious process
Get-Process | Sort-Object -Descending WS
Get-Process cmdlet can be used to get currently executing processes.
BCWHSendpointIR 1.0: BCWHScheckIRProcess
4) List Application Event Log Data
Get-EventLog -logName "Application" -newest 500 | Select MachineName,TimeGenerated,EntryType,Source,Message
The "Windows Logs" section contains (of note) the Application logs
BCWHSendpointIR 1.0: BCWHScheckIRAppLogs
5) List Logged In Users
Get-CimInstance –ClassName Win32_ComputerSystem
Gets the CIM instances of a class from a CIM server.
BCWHSendpointIR 1.0: BCWHScheckIRUsers
6) List of Recently Installed Software (Events)
Get-WinEvent -ProviderName msiinstaller | where id -eq 1033 | select timecreated,message | FL *
Gets events from event logs and event tracing log files on local and remote computers.
BCWHSendpointIR 1.0: BCWHScheckIRSoftware
7) List performance data
Get-Counter
The Get-Counter cmdlet gets performance counter data directly from the performance monitoring instrumentation in the Windows family of operating systems. Get-Counter gets performance data from a local computer or remote computers.
BCWHSendpointIR 1.0: BCWHScheckIRCounter
8) List Scheduled Tasks
Get-ScheduledTask
The Get-ScheduledTask cmdlet gets the task definition object of a scheduled task that is registered on a computer.
BCWHSendpointIR 1.0: BCWHScheckIRTasks
9) List Security Event Log Data
Get-EventLog -logName "Security" -newest 500 | Select MachineName,TimeGenerated,EntryType,Source,Message
The "Windows Logs" section contains (of note) the Security logs
BCWHSendpointIR 1.0: BCWHScheckIRSecurityLogs
10) List Services
Get-Service | Select-Object Name, DisplayName, Status, StartType
The Get-Service cmdlet gets objects that represent the services on a computer, including running and stopped services. By default, when Get-Service is run without parameters, all the local computer's services are returned.
BCWHSendpointIR 1.0: BCWHScheckIRServices
11) List System Event Log Data
Get-EventLog -logName "System" -newest 500 | Select MachineName,TimeGenerated,EntryType,Source,Message
The "Windows Logs" section contains (of note) the System logs
BCWHSendpointIR 1.0: BCWHScheckIRSystemLogs
12) List Users (Administrators)
Get-LocalGroupMember Administrators
The Get-LocalGroupMember cmdlet gets members from a local group.
BCWHSendpointIR 1.0: BCWHScheckIRListUsers
13) Network Activity
Get-NetTCPConnection | Select-Object creationtime, localaddress, localport, RemoteAddress, Remoteport
The Get-NetTCPConnection cmdlet gets current TCP connections. Use this cmdlet to view TCP connection properties such as local or remote IP address, local or remote port, and connection state.
BCWHSendpointIR 1.0: BCWHScheckIRNetwork
14) Terminate malicious process
Get-Process "process" | Stop-Process
Stop-Process can be used to terminate processes based on process name or process ID (PID).
|