• Windows Tools
• Hardening Windows 10
• Generic Hardening rules of thumb
• Debloat Win 10 & First Installation
• Malware & Cheat Sheets (Sysmon, Logs, etc.)
• Tools - Misc
• Convertir .ps1 a .EXE
• Security tools

To-Do:

• Add winget // choco
• Add SysInternals (ProxExp, AutoRuns, etc)
• Add Windows 11 (2024)

Windows Tools

Win Task Manager

Windows Task Manager: The Complete Guide

The Windows Task Manager is a powerful tool packed with useful information, from your system's overall resource usage to detailed statistics about each process. This guide explains every feature and technical term in the Task Manager. This article focuses on Windows 10's Task Manager, although much of this also applies to Windows 7.

www.howtogeek.com

Hardening Windows 10

CCE Tools appear to be deprecated as of 2022..

Resources:

https://hardenwindows10forsecurity.com/

https://resources.infosecinstitute.com/category/certifications-training/securing-windows-ten/windows-10-hardening-techniques/

https://www.continuum.net/blog/updates-to-microsofts-patching-process-and-the-impact-on-msps

https://www.itprotoday.com/industry-perspectives/windows-10-security-checklist-starter-kit

Change RDP Port w/Powershell

Change the listening port in Remote Desktop

Applies to: Windows Server 2022, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2008 R2 When you connect to a computer (either a Windows client or Windows Server) through the Remote Desktop client, the Remote Desktop feature on your computer "hears" the connection request through a defined listening port (3389 by default).

docs.microsoft.com

Generic Hardening rules of thumb

1. MICROSOFT DEFENDER FIREWALL Y ANTIVIRUS

Activar todos los perfiles del Firewall. Desactivar conexiones de entrada (Inbound) por default, y activar reglas de entrada y salida a medida que sea necesario para los servicios. Utilizar el perfil ‘público’ (Este perfil contiene reglas más estrictas que el perfil ‘casa’ o ‘home’).

Desactivación o configuración de protocolos de acceso remoto (Telnet, ssh, RDP)

Activar y mantener actualizada la base de datos de firmas de Microsoft Defender (Antivirus)

2. SERVICIOS

Desactivar los servicios innecesarios en el sistema.

Desactivar Windows Remote Registry Protocol (MS-RRP) si es posible.

Activar y elevar la sensibilidad del control de acceso de usuario (UAC)

Activar cifrado de disco duro con BitLocker

3. CUENTAS DE USUARIO

Limitar los privilegios del usuario que se ocupa en el día a día (No usar la cuenta de administrador).

Aplicar el principio del mínimo privilegio para las cuentas de usuario a excepción del usuario Administrador.

Desactivar cuentas por default y sin usar.

4. AUTORUNS

Desactivar AutoPlay/Autorun para dispositivos extraíbles (CD/DVD, USB).

Desactivar o eliminar cualquier ejecutable o servicio innecesario que inicie automáticamente al inicio del sistema (Startup / Logon)

Desactivar servicios sin usar (Telnet, FTP, SMB, WSL, etc.)

5. ACTUALIZACIONES DEL SISTEMA Y SEGURIDAD DE WINDOWS

Activar la actualización periódica y automática del sistema operativo y aplicaciones.

Herramientas de administrador útiles (Microsoft Sysinternals):

5 Sysinternals Tools For Windows Power User - TechWiser

If you are using Windows for long enough, you should have come across a bunch of useful built-in administrative tools. But do you know that Windows has a suite of free utilities called as Sysinternals, that provide the best configuration, troubleshooting, and diagnostic tools? If not, you should definitely give the tools discussed below a try.

techwiser.com

Debloat Win 10 & First Installation

Install Essentials:

• WSL (Optional) https://learn.microsoft.com/en-us/windows/wsl/install (wsl --install -d <distribution>)
• Windows Terminal
• Process Explorer from Sysinternals & replace Taskbar & disable “Hide when Minimized” + Dark mode 🙂

Debloat & Extra Powertools:

iwr -useb https://christitus.com/win | iex

Embed GitHub

Active Directory Services:

Settings > Apps > Optional > Add optional Feature > Search “RSAT”, install Certificate Service tools & ADDS + LDST

Malware & Cheat Sheets (Sysmon, Logs, etc.)

Cheat-Sheets - Malware Archaeology

"Windows logging Cheat Sheet", "Splunk Logging Cheat Sheet"

www.malwarearchaeology.com

Tools - Misc

Convertir .ps1 a .EXE

La siguiente herramienta convierte PS scripts a ejecutables: https://www.powershellgallery.com/packages/ps2exe/1.0.10

Para convertir nuestro instalador a exe:

1.- Instalar la herramienta “Ps2exe”:

Install-Module ps2exe

2.- Convertir el instalador a ejecutable para mayor portabilidad y compartirlo con los colaboradores:

Invoke-ps2exe .input_script.ps1 .output.exe

Security tools

Binisoft Windows Firewall Control

Windows Firewall Control

Windows Firewall Control is a powerful tool which extends the functionality of Windows Firewall and provides new extra features which makes Windows Firewall better. It runs in the system tray and allows the user to control the native firewall easily without having to waste time by navigating to the specific part of the firewall.

www.binisoft.org

• Sysmon - System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
• Guide 1 - Olaf Hartong has a project called Sysmon Modular. It breaks out each Sysmon event ID and adds MITRE technique IDs to the logs. https://github.com/olafhartong/sysmon-modular
• Guide 2 - Swift on Security has a Sysmon configuration file that is documented and works as a great start. https://github.com/SwiftOnSecurity/sysmon-config
• Auditd - The auditd subsystem is an access monitoring and accounting for Linux developed and maintained by RedHat. It was designed to integrate pretty tightly with the kernel and watch for interesting system calls. Additionally, likely because of this level of integration and detailed logging, it is used as the logger for SELinux.
• OSQuery - osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
• Velociraptor - Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries.
• Windows Defender Exploit Guard - Windows Defender Exploit Guard is built-in to professional edition and higher Windows machines. It includes process and memory level protection mechanisms with a suite of auditing capabilities. Exploit guard is not to be confused with Windows Defender Antivirus. It allows overriding security controls per process or folder and is controlled via an XML configuration file. The XML file is pushed via group policy or an asset management tool such as SCCM or Intunes.
• Windows Ransomware Protection - Windows 10 includes a built-in ransomware protection that is off by default. It allows you to deploy it in monitor only mode as well as in blocking mode. It adds protection mechanisms around what user and process is accessing files on a system.
• AppLocker - Windows 10 Enterprise and Server Standard and above include AppLocker. AppLocker is Microsoft application whitelisting product. Other Windows versions do not have AppLocker but do have Software Restriction Policies.