Set logging on all success/failure events
(WARNING THIS WILL PRODUCE A LOT OF NOISE, TAILOR TO YOUR NEEDS)
Copy auditpol /set /category:* /success:enable /failure:enable
Enable logging of process creation
Copy auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
Enable logging of non non-Windows module loads via WDAC code integrity
Note 1: Special thanks to Matt Graeber for this.
Note 2: This is based off of a Windows Defender Application Control system integrity policy which has been converted on an enterprise system.
On an enterprise system enable it by creating a module load audit policy: https://twitter.com/mattifestation/status/1366435525272481799
Copy ConvertFrom-CIPolicy Non_Microsoft_UserMode_Load_Audit.xml C:\Windows\System32\CodeIntegrity\SIPolicy.p7b
Store the converted policy on a Win10 system to be monitored at: Windows\System32\CodeIntegrity\SIPolicy.p7b
Kill “Unstoppable” Service/Process
Copy reg add HKLM\SYSTEM\CurrentControlSet\Services\{SERVICENAME}\XblAuthManager\Parameters /V start /T reg_dword /D 4 /f
sc.exe sdset {SERVICENAME} "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Get-Service -Name {SERVICENAME} | Set-Service -Status Paused
sc.exe config {SERVICENAME} start= disabled
Get-Service -Name {SERVICENAME} | Set-Service -Status Stopped
tasklist /FI "IMAGENAME eq {SERVICEEXENAME}"
taskkill /F /t /IM "{SERVICEEXENAME}"
Kill malicious process
Copy wmic process where name="malware.exe" call terminate
wmic process where processid=[PID] delete
taskkill /IM malware.exe
taskkill /PID [PID] /T
Note: Call terminate allows you to specify an exit status in terms of a signed integer or a quoted negative value. Both methods essentially function the same by calling TerminateProcess.
Locate Possible Shellcode within process via Injected Thread
Copy Import-Module .\Get-InjectedThread.ps1
Get-InjectedThread
Obtain Possible Shellcode within process as Hex
Copy (Get-InjectedThread|Select -exp Bytes|ForEach-Object ToString X2) -join ''
(Get-InjectedThread|? {$_.ThreadId -match '{PID}'}|Select -exp Bytes|ForEach-Object ToString X2) -join ''
Obtain Possible Shellcode within process as Hex
Copy (Get-InjectedThread|Select -exp Bytes|ForEach-Object ToString X2) -join '\x'
(Get-InjectedThread|? {$_.ThreadId -match '{PID}'}|Select -exp Bytes|ForEach-Object ToString X2) -join '\x'
Remove ACE entries for “everyone”
Copy icacls "C:\{DESIREDFOLDERPATH}" /remove everyone /T
Disable unwanted windows binaries (via Base64 encoding and removal)
Note: This is one method, not the only way.
Copy certutil -encode C:\windows\system32\mshta.exe C:\windows\system32\mshta.disabled
Get-Acl -Path C:\windows\system32\mshta.exe | Set-Acl -Path C:\windows\system32\mshta.disabled
takeown /f C:\windows\system32\mshta.exe
icacls C:\windows\system32\mshta.exe /grant administrators:F
rm C:\windows\system32\mshta.exe
Enable windows binaries (via Base64 decoding and removal)
Copy certutil -decode C:\windows\system32\mshta.disabled C:\windows\system32\mshta.exe
Get-Acl -Path C:\windows\system32\mshta.disabled | Set-Acl -Path C:\windows\system32\mshta.exe
takeown /f C:\windows\system32\mshta.disabled
icacls C:\windows\system32\mshta.disabled /grant administrators:F
rm C:\windows\system32\mshta.disabled
Make multiple files visible and remove ‘superhidden’
Copy gci C:\{DESIREDFOLDERPATH} -force -recurse -ea 0 | foreach {$_.attributes = 'Normal'};
attrib -s -h C:\{DESIREDFOLDERPATH}\*.*
Enable Date Accessed Timestamps
Copy reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v NtfsDisableLastAccessUpdate /d 0 /t REG_DWORD /f
Remove BITSAdmin Persistence
Copy bitsadmin /reset /allusers
import-module bitstransfer
Get-BitsTransfer -AllUsers | Remove-BitsTransfer
Delete Windows Defender excluded files
Copy reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "[RegkeyValue]"
reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' -Name "Paths"
Open File Extension (e.g. scripts) with certain application (elevated cmd)
Copy FTYPE Custom=Notepad.exe "%1"
ASSOC .wsf=Custom
Disable Command Prompt
Copy reg add "HKCU\SOFTWARE\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 0 /f
Remediate malicious files
Copy rmdir %localappdata%\maliciousdirectory\ /s
del /F %localappdata%\maliciousdirectory\malware.exe
Powershell:
Copy Remove-Item [C:\Users\Public\*.exe]
Remove-Item -Path [C:\Users\Public\malware.exe] -Force
Get-ChildItem * -Include *.exe -Recurse | Remove-Item
Remediate Persistent WMI Subscriptions
The most important aspect is to locate and remove the CommandLineEventConsumer. This has the malicious command stored within the value ‘CommandLineTemplate’. The below example searches for commands that contain ‘powershell’.
Copy Get-WMIObject -Namespace root\subscription -Class __EventFilter -Filter "Name like '%%[Name]%%'" | Remove-WmiObject
Get-WMIObject -Namespace root\subscription -Class CommandLineEventConsumer -Filter "CommandLineTemplate like '%%powershell%%'" | Remove-WmiObject
Get-WMIObject -Namespace root\subscription -Class __FilterToConsumerBinding -Filter "__Path like '%%[Name]%%'" | Remove-WmiObject
Malicious scheduled tasks
Copy schtasks /Delete /TN [taskname] /F
Powershell:
Copy Unregister-ScheduledTask -TaskName [taskname]
Unregister-ScheduledTask -TaskPath [taskname]
Registry Keys
Unload all users registry keys
Copy Foreach ($UserProfile in $UserProfiles) {reg unload HKU\$($UserProfile.SID)};
Remediate Automatic Load/Run Reg Keys
Copy reg delete [keyname] /v [ValueName] /f
reg delete [keyname] /f
Foreach ($UserProfile in $UserProfiles) {reg delete HKU\$($UserProfile.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /f}
Foreach ($UserProfile in $UserProfiles) {reg delete HKU\$($UserProfile.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f}
Powershell:
Copy Remove-ItemProperty -Path "[Path]" -Name "[name]"
Prevent Executable from Running.
Note: Load in hives and add particular SID to prevent users running named files, helps prevent for example your IIS service account from running cmd.exe or powershell.exe
Copy reg add "HKU\{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisallowRun /t REG_DWORD /d "00000001" /f
reg add "HKU\{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v malware.exe /t REG_SZ /d "malware.exe" /f