Windows Remediation Commands

Set logging on all success/failure events

(WARNING THIS WILL PRODUCE A LOT OF NOISE, TAILOR TO YOUR NEEDS)
1
auditpol /set /category:* /success:enable /failure:enable
Copied!

Enable logging of process creation

1
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
Copied!

Enable logging of non non-Windows module loads via WDAC code integrity

Note 1: Special thanks to Matt Graeber for this.
Note 2: This is based off of a Windows Defender Application Control system integrity policy which has been converted on an enterprise system.
On an enterprise system enable it by creating a module load audit policy: https://twitter.com/mattifestation/status/1366435525272481799
1
ConvertFrom-CIPolicy Non_Microsoft_UserMode_Load_Audit.xml C:\Windows\System32\CodeIntegrity\SIPolicy.p7b
Copied!
Store the converted policy on a Win10 system to be monitored at: Windows\System32\CodeIntegrity\SIPolicy.p7b

Kill “Unstoppable” Service/Process

1
reg add HKLM\SYSTEM\CurrentControlSet\Services\{SERVICENAME}\XblAuthManager\Parameters /V start /T reg_dword /D 4 /f
2
sc.exe sdset {SERVICENAME} "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
3
Get-Service -Name {SERVICENAME} | Set-Service -Status Paused
4
sc.exe config {SERVICENAME} start= disabled
5
Get-Service -Name {SERVICENAME} | Set-Service -Status Stopped
6
tasklist /FI "IMAGENAME eq {SERVICEEXENAME}"
7
taskkill /F /t /IM "{SERVICEEXENAME}"
Copied!

Kill malicious process

1
wmic process where name="malware.exe" call terminate
2
wmic process where processid=[PID] delete
3
taskkill /IM malware.exe
4
taskkill /PID [PID] /T
Copied!
Note: Call terminate allows you to specify an exit status in terms of a signed integer or a quoted negative value. Both methods essentially function the same by calling TerminateProcess.
Locate Possible Shellcode within process via Injected Thread
1
Import-Module .\Get-InjectedThread.ps1
2
Get-InjectedThread
Copied!
Obtain Possible Shellcode within process as Hex
1
(Get-InjectedThread|Select -exp Bytes|ForEach-Object ToString X2) -join ''
2
(Get-InjectedThread|? {$_.ThreadId -match '{PID}'}|Select -exp Bytes|ForEach-Object ToString X2) -join ''
Copied!
Obtain Possible Shellcode within process as Hex
1
(Get-InjectedThread|Select -exp Bytes|ForEach-Object ToString X2) -join '\x'
2
(Get-InjectedThread|? {$_.ThreadId -match '{PID}'}|Select -exp Bytes|ForEach-Object ToString X2) -join '\x'
Copied!

Remove ACE entries for “everyone”

1
icacls "C:\{DESIREDFOLDERPATH}" /remove everyone /T
Copied!

Disable unwanted windows binaries (via Base64 encoding and removal)

Note: This is one method, not the only way.
1
certutil -encode C:\windows\system32\mshta.exe C:\windows\system32\mshta.disabled
2
Get-Acl -Path C:\windows\system32\mshta.exe | Set-Acl -Path C:\windows\system32\mshta.disabled
3
takeown /f C:\windows\system32\mshta.exe
4
icacls C:\windows\system32\mshta.exe /grant administrators:F
5
rm C:\windows\system32\mshta.exe
Copied!

Enable windows binaries (via Base64 decoding and removal)

1
certutil -decode C:\windows\system32\mshta.disabled C:\windows\system32\mshta.exe
2
Get-Acl -Path C:\windows\system32\mshta.disabled | Set-Acl -Path C:\windows\system32\mshta.exe
3
takeown /f C:\windows\system32\mshta.disabled
4
icacls C:\windows\system32\mshta.disabled /grant administrators:F
5
rm C:\windows\system32\mshta.disabled
Copied!

Make multiple files visible and remove ‘superhidden’

1
gci C:\{DESIREDFOLDERPATH} -force -recurse -ea 0 | foreach {$_.attributes = 'Normal'};
2
attrib -s -h C:\{DESIREDFOLDERPATH}\*.*
Copied!

Enable Date Accessed Timestamps

1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v NtfsDisableLastAccessUpdate /d 0 /t REG_DWORD /f
Copied!

Remove BITSAdmin Persistence

1
bitsadmin /reset /allusers
2
import-module bitstransfer
3
Get-BitsTransfer -AllUsers | Remove-BitsTransfer
Copied!

Delete Windows Defender excluded files

1
reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "[RegkeyValue]"
2
reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
3
Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' -Name "Paths"
Copied!

Open File Extension (e.g. scripts) with certain application (elevated cmd)

1
FTYPE Custom=Notepad.exe "%1"
2
ASSOC .wsf=Custom
Copied!

Disable Command Prompt

1
reg add "HKCU\SOFTWARE\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 0 /f
Copied!

Remediate malicious files

1
rmdir %localappdata%\maliciousdirectory\ /s
2
del /F %localappdata%\maliciousdirectory\malware.exe
Copied!
Powershell:
1
Remove-Item [C:\Users\Public\*.exe]
2
Remove-Item -Path [C:\Users\Public\malware.exe] -Force
3
Get-ChildItem * -Include *.exe -Recurse | Remove-Item
Copied!

Remediate Persistent WMI Subscriptions

The most important aspect is to locate and remove the CommandLineEventConsumer. This has the malicious command stored within the value ‘CommandLineTemplate’. The below example searches for commands that contain ‘powershell’.
1
Get-WMIObject -Namespace root\subscription -Class __EventFilter -Filter "Name like '%%[Name]%%'" | Remove-WmiObject
2
Get-WMIObject -Namespace root\subscription -Class CommandLineEventConsumer -Filter "CommandLineTemplate like '%%powershell%%'" | Remove-WmiObject
3
Get-WMIObject -Namespace root\subscription -Class __FilterToConsumerBinding -Filter "__Path like '%%[Name]%%'" | Remove-WmiObject
Copied!

Malicious scheduled tasks

1
schtasks /Delete /TN [taskname] /F
Copied!
Powershell:
1
Unregister-ScheduledTask -TaskName [taskname]
2
Unregister-ScheduledTask -TaskPath [taskname]
Copied!

Registry Keys

Unload all users registry keys

1
Foreach ($UserProfile in $UserProfiles) {reg unload HKU\$($UserProfile.SID)};
Copied!

Remediate Automatic Load/Run Reg Keys

1
reg delete [keyname] /v [ValueName] /f
2
reg delete [keyname] /f
3
Foreach ($UserProfile in $UserProfiles) {reg delete HKU\$($UserProfile.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /f}
4
Foreach ($UserProfile in $UserProfiles) {reg delete HKU\$($UserProfile.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f}
Copied!
Powershell:
1
Remove-ItemProperty -Path "[Path]" -Name "[name]"
Copied!

Prevent Executable from Running.

Note: Load in hives and add particular SID to prevent users running named files, helps prevent for example your IIS service account from running cmd.exe or powershell.exe
1
reg add "HKU\{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisallowRun /t REG_DWORD /d "00000001" /f
2
reg add "HKU\{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v malware.exe /t REG_SZ /d "malware.exe" /f
Copied!