WINDOWS 10 PATCH/UPGRADE SECURITY SETTINGS REPAIR FIX-IT SCRIPT
Since Windows 10 shipped there have been three (3) major updates thru Set 2017 called a "cumulative updates". If you apply the settings that are mentioned in the "Cheat Sheets" found on this website, or other security standards, the cumulative update will revert many security settings back to default weakening the security of the system you specifically want set. If these settings are not controlled by Group Policy, your system security is weakened. These scripts will repair and set the items back to what the Cheat Sheets recommend before the update was applied, if you follow the settings found in the Cheat Sheets. If you have not set them, then this script will set the recommended items for you. Instructions inside the script. This script works on many versions of Windows to set these items as best practice.
- Script to repair settings reverted by the Windows 10 cumulative update(s) (Win 7, 8, 10, 2008, 2012 and 2016 compatible) - v1.3
- Goal - To fix log settings that are undone during Microsoft updates
- Goal - To set dangerous file extensions to open benign Notepad versus the default script engine that allows detonation of malware
- It is recommended you schedule a task to apply these settings at each logon so that any future patch updates that break these settings are updated and fixed
- v1.2 adds disable Word DDE automatically opening links/URL
- v1.3 adds more DDE blocks for other Office products - Microsoft patched this vuln, so may not be needed any longer
LOGGING, THE PERFECT PARTNER FOR MALWARE
Learn Who did What, Where, When and How.
In the course of investigating malware and reviewing logs for the details of what happened on suspect system(s), we have gathered the information listed here to assist in understanding Windows Logging.
- Enable Logs
- Configure Logs
- Gather Logs
- Harvest Logs
If you want to improve your Malware Management, logging is a crucial if not vital part of your Information Security program.
Listed below are resources for you to use to improve logging in your environment.
List of administrative utilities to monitor execution of:
SCRIPTS to set the configuration:
- CMD Script to set Windows Auditing and Logging - Jan 2018
- CMD Script to set ONLY the Windows Firewall Auditing and Logging - July 2015
- Sample default PowerShell profile.ps1 that also sets Transcripts to record - July 2015
Scripts to set File and Registry Auditing
Below are two scripts to set the Folder and Registry auditing on the current logged in user.
- Script to set User File and Folder auditing - Updated Oct 2017
- Script to set User Registry Key auditing - Updated Oct 2017
Script to set Windows Advanced Auditing, PowerShell and Command Line too
Below is a script to set the Advanced Audit Settings and all the other settings recommended in the cheat sheets. It is best to set in GPO as GPO will overwrite the auditpol settings. This is good for non domain attached systems, labs, etc.
Script to clear all the logs
The following script uses PowerShell to clear all the event logs. Great for clearing out data prior to infecting a lab with malware, or before you investigate a system and reboot it to initiate the peresistence.
List of Windows administrative utilities you should monitor execution of
This is a list of utilities that you should monitor for the execution of and the command line parameters of as hackers and pen testers will use these built-in (living of the land) utilities to exploit or as a part of post exploitation activities.
- List of admin utils and whitelist bypass utils you should monitor the command line execution of (text file).
List of whitelist bypass utililies known to be misused:
WinLogBeat (ELK and Humio)
Winlogbeat is a logging agent maintained by Elastic that can send your log data to a local logging server (Humio, ELK Stack, etc.) or Cloud Logging solution like Humio, Loggly, Sumologic and others.
Windows WinLogBeat.yml file with expanded auditing, sample exclusions by EventID and by type of event. Just replace your server and account details, tweak as needed and restart the service to load the config.
FileBeat (ELK and Humio)
Filebeat is a logging agent maintained by Elastic that can send your file log data to a local logging server (Humio, ELK Stack, etc.) or Cloud Logging solution like Humio, Loggly, Sumologic and others.
Just replace your server and account details, tweak as needed, add your log file and parser to use, and restart the service to load the config.
NXLog is a logging agent with FREE and commercial versions that can send your log data to a local logging server (Splunk, ELK Stack) or Cloud Logging solution like Splunk Cloud, Loggly, Sumologic and others.
Windows NXLOG.conf file with expanded auditing, sample exclusions by EventID and by Message type. Just replace your server and account details, tweak as needed and restart the service.
- Sample nxlog.conf file for Windows (Loggly integration example)
Sysmon is a service developed by Sysinternals, now owned by Microsoft that provides additional security and Incident Response related details about files and processes and the hidden workings of a Windows based system. The service has its own log that records the hashes of the files, Dll's and drivers (.sys) loaded, signatures of the certs, IP details, etc. The config file allows you to reduce the normal noise generated by Sysmon to make it collect less voluminous in case you want to harvest the data in a log management solution or.. LOG-MD Progfessional.
Windows Logging Service (WLS)
WLS is a syslog service that replaces your current logging agent such as the Splunk Universal Forwarder, nxlog or other logging agent. The advantage of WLS is in what it collects and sends to your log server in the form of syslog events from Windows and is fully configurable on what it can collect allowing log refinement and incredible details. WLS collects the hashes of files, signature details of the files, PowerShell and WMI details not found in Windows logging, process execution and network data. This is by far the best InfoSec IR logging agent available AND...WLS can be configured so that LOG-MD Professional can collect the log events from WLS.