During MDT or ConfiMgr deployment of Windows 10, press Shift+F10 whilst Windows detects devices. A command prompt with System Privileges will pop up allowing all sorts of shenanigans and without being logged by SIEM, those agents won't be running yet. Also during Windows 10 upgrades, that Bitlocker drive encryption is disabled allowing the same attack. This is an old issue raised some 3 to 4 years ago.... Well, today on my test rig during a 1909 deployment, I was just curious, it can't still be vulnerable.... oops. The fix is pretty straightforward, although I can't take credit, that belongs to Johan Arwidmark and this post here #Declare Mount Folders for DISM Offline Update $mountFolder1 = 'D:\Mount1' $mountFolder2 = 'D:\Mount2' $WinImage = 'D:\MDTDeployment\Operating Systems\Windows 10 x64 1909\sources' #Mount install.wim to first mount folder Mount-WindowsImage -ImagePath $WinImage\install.wim -Index 1 -Path $mountFolder1 #Mount winre.wim to second mount folder Mount-WindowsImage -ImagePath $mountFolder1\Windows\System32\Recovery\winre.wim -Index 1 -Path $mountFolder2 #Create folder for DisableCMDRequest.TAG file in Winre.wim New-Item $mountFolder2\Windows\setup\scripts -ItemType Directory #Create DisableCMDRequest.TAG file for Winre.wim New-Item $mountFolder2\Windows\setup\scripts\DisableCMDRequest.TAG -ItemType File #Commit changes to Winre.wim Dismount-WindowsImage -Path $mountFolder2 -Save #Create folder for DisableCMDRequest.TAG in install.wim New-Item $mountFolder1\Windows\setup\scripts -ItemType Directory #Create DisableCMDRequest.TAG file for install.wim New-Item $mountFolder1\Windows\setup\scripts\DisableCMDRequest.TAG -ItemType File #Commit changes to Winre.wim Dismount-WindowsImage -Path $mountFolder1 -Save

I've purchased various pentest devices, not going to mention any names. I've always found them to be lacking in capability and storage. A better option and one where you get to assemble your own device is to use a Pi or my favourite Odroid, they tend to have more power. Download the arm image from https://www.offensive-security.com/kali-linux-arm-images/ Install Win32Disk on Windows http://sourceforge.net/projects/win32diskimager/files/latest/download Insert a microSSD of at least 16Gb Burn the Kali image to the ssd. Insert into the Pi\Odroid and power on Logon with the default account root and the password of toor If that fails try kali and kali passwd to change password apt-get update & apt-get upgrade apt-get -y full-upgrade

Hi, please leave a comment about the site... Be gentle its still very much under construction. But if you have questions or an idea for future content does feel free to write something. Thanks, Tenaka

<# .Synopsis Disable Admin Account and Sets Random Password ​ .Description ​ .Version #> #Password length $length = 20 ​ #Minimum number of symbols to use in the password #Do not set to high as this will remove complexity and make passwords easier to compromise $random = 5 ​ #Creates random password $assembly = Add-Type -AssemblyName system.web $randPass = [System.Web.Security.Membership]::GeneratePassword($length,$random) ​ #Var for Administrator Account $admin = "Administrator" ​ #Sets Administrator password net user $admin $randPass /YES #Disable Administrator account net user $admin /active:yes ​

​To set a time server by either IP or fqdn for non-domain joined clients. ​ For instructions on how to deploy from MDT (here) <# .Synopsis Set Time Server for non-domain joined clients (0x8) to fqdn's address ​ .Description ​​ .Version #> ​ Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters' -name NTPServer -Value "pool.ntp.org time.windows.com,0x8 time.google.com,0x8 " -Force ​ ​ <# .Synopsis ​Set Time Server for non-domain joined clients (0x8) to time server IP address ​ .Description ​​ .Version #> Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters' -name NTPServer -Value "192.168.0.10,0x8 192.168.0.11,0x8" -Force

It's standard for applications services to run with System. In many cases, this is excessive and leaves the Operating System vulnerable to escalation attacks particularly if there is an unquoted path or an unpatched vulnerability. ​ The following is a script deployable from MDT or SCCM for use on standalone and domain-joined systems. It's when the service account doesn't require a domain account but benefits from the least privilege and randomized passwords. The script creates a service account without any elevated privileges and adds to the 'Logon as Service' Right and then updates the Windows Service for the targeted application. ​ The password for each svc account is unique to prevent one compromised password from allowing all systems with that account and password combination to be compromised. Passwords are not written out to disk, otherwise its possible recover the files and password with recovery tools. ​ The github script is downloadable from (here) <# .Synopsis Update a Windows Service that is using system to a non-priv user account .Description List the service account name and name of the Windows Service to be updated. ​ Create the User account and strip out Local User group so its not interactive, set a randomized password ​ Update the Service with account and password ​ Export and update User Rights Assignments for the Service Account to have 'Logon as a Service' right .Version #> #List of Service Accounts (svc_) and the application the svc_ will run as a service $svc1 = @{"svc_splunk" = "splunk"} $svc2 = @{"svc_account2" = "Application2"} $svc3 = @{"svc_account3" = "Application3"} ​ $svcUsers = $svc1, $svc2, $svc3 ​ #Create Service Account, randomised password #Find Windows Service and update to use Service account foreach ($svcAcc in $svcUsers) { #Svc Account $svcAccount = $svcAcc.Keys #Application Name $appName = $svcAcc.Values ​ #Password length $length = 12 ​ #Number of random characters $random = 3 ​ #Creates complex random password for each svc account $assembly = Add-Type -AssemblyName system.web $randPass = [System.Web.Security.Membership]::GeneratePassword($length,$random) ​ #Create svc account with randomized password and unable to change own password. net user $svcAccount $randPass /PASSWORDCHG:NO /ADD /YES ​ #remove user group so its a service account and not able to interactively logon net localgroup users $svcAccount /DELETE ​ #if account needs access to read security events, normally if service account event forwards to SIEM if ($svcAccount -eq "svc_splunk") { #add to eventlog users group to read security event logs net localgroup "Event Log Readers" $svcAccount /ADD } #sets password to never expire WMIC useraccount where "Name='$svcAccount'" SET PasswordExpires=FALSE ​ #get the Windows Service based on the name of the listed App $svcName = gwmi Win32_service -Filter "name='$appName'" ​ #Update Windows Service so the svc account and password replace system service $svcNAme.change($null,$null,$null,$null,$null,$false,".\$svcAccount",$randPass) } #Hostname $hn = hostname ​ #Create new folder to export security template to $path = "C:\Logs\Services" New-Item $path -ItemType Directory -Force ​ #Export Security Settings inc User Rights Assignments with secedit.exe secEdit.exe /export /cfg $path\currentTemplate.inf ​ #List the current user account SID's for 'Logon as a service' $logonAsRight = Select-String $path\currentTemplate.inf -Pattern "SEServiceLogonRight" $origSids = $logonAsRight.Line ​ #Create an empty Template Add-Content -Path $path\newTemplate.inf -Value '[Unicode]' Add-Content -Path $path\newTemplate.inf -Value 'unicode=YES' Add-Content -Path $path\newTemplate.inf -Value '[System Access]' Add-Content -Path $path\newTemplate.inf -Value '[Event Audit]' Add-Content -Path $path\newTemplate.inf -Value '[Registry Values]' Add-Content -Path $path\newTemplate.inf -Value '[version]' Add-Content -Path $path\newTemplate.inf -Value 'signature="$CHICAGO$"' Add-Content -Path $path\newTemplate.inf -Value 'Revision=1' Add-Content -Path $path\newTemplate.inf -Value '[Privilege Rights]' ​ #array for new service accounts and their sids $svcSid=@() foreach ($svcAcc in $svcUsers) { #Service Account $svcAcc = $svcAcc.Keys ​ #Application Name for Service $appName = $svcAcc.Values ​ #new object for each service account $objUser = New-Object System.Security.Principal.NTAccount("$hn\$svcAcc") $strSid = $objUser.Translate([System.Security.Principal.SecurityIdentifier]) $svcSid += $strSid.Value } #take original sids and add to new list of sids $sidOld =@() $sidOld += $origSids ​ #combined list of sids foreach ($svc in $svcSid) { $sidCombine += ",*$svc" } ​ #foreach sid add to the newTemplate.inf foreach ($sidIndi in $sidCombine) { Add-Content -Value $sidIndi -Path $path\newTemplate.inf -NoNewline } ​ #Run the SecEdit command to import the all accounts and add to Logon as a Service. secedit.exe /configure /db $path\secEdit.sdb /cfg $path\newTemplate.inf /log $path\newTemplate.log ​

The following tweaks are for disabling network features that are either legacy but still enabled or not required. ​ Each setting can be applied by running an elevated PowerShell directly or deployed from MDT or ConfigMgr. <# .Synopsis ​ .Description If IPv6 isnt deployed on the network should be disabled correctly via the Registry and not by unchecking the IPv6 component in network connections. ​ .Version #> #Disable IPv6 by setting 0xff, do not set fffffff as it slows down bootup New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' -Name DisabledComponents -PropertyType DWORD -Value 0xff -Force ​ ​ <# .Synopsis Disable LLMNR ​ .Description LLMNR or Responder should be actively disabled as it broadcasts the password hash and account name of the user or service account. Open Run and type '\\server\share' as this is very unlikely to exist the client will query the network by broadcasting on port 5355 containing your account with the password hash. Kali running Responder will pick this up and feed it into 'John the Ripper', ​ Block ports TCP\UDP 5355 both InBound and OutBound ​ Or set 'Turn on Responder (RSPNDR) Driver' to 'Disable' in GPO 'Computer > Policies > Administrative Templates > Network > Link-Layer Topology Discovery' ​ .Version #> #Disabled LLMNR New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT" -Name DNSClient -ForceNew-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name EnableMultiCast -Value 0 -PropertyType DWORD -Force ​ <# .Synopsis Disable both LMHosts and NetBios ​ .Description LMHosts is the legacy file used for name resolution. ​ NetBios is often enabled by default on Windows system but is legacy for SMB and Printer traffic, it can be abused leading to the system being exploited. Port 139 is used by Nbtstat to query for Windows devices. ​ Block ports UDP 137-138 both InBound and OutBound Block ports TCP 139 both InBound and OutBound .Version #> #Disable LMHOSTS File in Network Settings $lmhost = @{ { DNSEnabledForWINSResolution = $false WINSEnableLMHostsLookup = $false } Invoke-CimMethod -ClassName win32_networkadapterconfiguration -methodName enableWins -Arguments $lmhost #Disable NetBios in Network Settings $netbios = Get-ChildItem -Recurse "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" | where {$_.property -eq "NetBiosOptions"} foreach ($op in $netbios) { cd hklm: $opPath = $op.Name.Replace("HKEY_LOCAL_MACHINE","HKLM:") Set-ItemProperty $opPath -name NetBiosOptions -Value 2 -Force } ​ ​ ​ <# .Synopsis Disable Universal Plug and Play for network devices ​ .Description uPnP allows devices to discover and share data with other network devices, there is a small risk of this service being abused. Its a small but potential risk, more importantly it's a service that isn't needed, so it's disabled ​ Block port TCP 5000 Inbound Block port UDP 1901 Inbound ​ Stopping 'UPnP Device Host' Windows Service ​ .Version #> #Disable uPnP (Network Discovery) Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name AllowLLTDIOOnDomain -Value 0 -Force Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name AllowLLTDIOOnPublicNet -Value 0 -Force Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name AllowRspndrOnDomain -Value 0 -Force Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name AllowRspndrOnPublicNet -Value 0 -Force Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name EnableLLTDIO -Value 0 -Force Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name EnableRspndr -Value 0 -Force Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name ProhibitLLTDIOOnPrivateNet -Value 1 -Force Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name ProhibitRspndrOnPrivateNet -Value 1 -Force ​ ​

​There's been a few instances where setting folder permissions is required and I've found the following useful. ​ <# .Synopsis Change FOLDER permission for Authenticated User ​ .Description ​​ .Version #> ​ #Declares Inheritance $inherNone = [System.Security.AccessControl.InheritanceFlags]::None $propNone = [System.Security.AccessControl.PropagationFlags]::None $inherCnIn = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit $propInOn = [System.Security.AccessControl.PropagationFlags]::InheritOnly $inherObIn = [System.Security.AccessControl.InheritanceFlags]::ObjectInherit $propNoPr = [System.Security.AccessControl.PropagationFlags]::NoPropagateInherit #Declare Auth User $user = "Authenticated users" #Path to Folder $path = "C:\SomeFolder" ​ #Return current permissions (get-acl C:\SomeFolder).Access ​ #Removes Inheritance $aclInh = get-acl $path $aclInh.SetAccessRuleProtection($true,$true) Set-Acl $path $aclInh ​ #Remove Permissions $getAcl = Get-Acl $path $fileAcc = New-Object System.Security.AccessControl.FileSystemAccessRule("$User","FULL","$inherCnIn ,$inherObIn","None","Allow") $getAcl.SetAccessRule($fileAcc) $getAcl.removeAccessRuleAll($fileAcc) Set-Acl $path $getAcl #Add Permissions $getAcl = Get-Acl $path $fileAcc = New-Object System.Security.AccessControl.FileSystemAccessRule("$user","READ","$inherCnIn,$inherObIn", "None","Allow") $getAcl.SetAccessRule($fileAcc) Set-Acl $path $getAcl ​ #Add a DENY permission $getAcl = Get-Acl $path $fileAcc = New-Object System.Security.AccessControl.FileSystemAccessRule("$user","READ","$inherCnIn,$inherObIn","None","deny") $getAcl.SetAccessRule($fileAcc) Set-Acl $path $getAcl

By disabling Memory Dumps it's no longer possible to recover the dump file and extract secure data that is held in memory in the clear. ​ <# .Synopsis Disables Windows Memory Dumps ​ .Description ​ Disabled Memory Dump to prevent extracting cleat text passwords using WinDbg ​ 0 = None 1 = Complete Memory Dump 2 = Kernel Memory Dump 3 = Small Memory Dump 7 = Automatic Memory Dump (Default) ​ .Version #> Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl' -name CrashDumpEnabled -Value 0 -Force ​

Disabling Microsoft Windows Recovery Environment is a good idea because it reduces the risk of malicious software being installed on your computer. It also prevents unauthorized access to system files, which could lead to data loss or corruption. Additionally, disabling this feature helps prevent accidental changes to critical system settings that can cause serious problems and even render your computer unusable. ​ <# .Synopsis Updates Windows Boot and Recovery options ​ .Description Updates Windows Boot and Recovery options to prevent any boot options from being launched during the Windows boot. Windows will boot with a blank screen and provide no recovery options, This is one of a series of mitigations to prevent booting into PXE, Kali or Recovery options to perform attacks against the system. UEFI\BIOS - Update Boot order and remove PXE, USB and CD\DVD Boot Options UEFI\BIOS - Add a complex password to prevent unauthorised changed Bitlocker - Always encrypt the System drive with Bitlocker or alternative full disk encryption. Recovery Partition - Remove Recovery Partition from MDT\ConfigMgr disk configuration Bitlocker should be configured with TPM and Pin to prevent LPC (Low Pin Count) Bus sniffing attack ​​ .Version #> #disables automatic repair options for Windows cmd.exe /c "bcdedit.exe /set {default} recoveryenabled no" ​ #disables Windows Error Recovery screen cmd.exe /c "bcdedit.exe /set {default} BootStatusPolicy IgnoreAllFailures" ​ #disables all UI elements, logo, status, status messages cmd.exe /c "bcdedit.exe /set {default} bootuxdisabled on" #disables advanced startup options (F8) cmd.exe /c "bcdedit.exe /set {default} advancedoptions false" ​ #disables advanced startup option (F10) cmd.exe /c "bcdedit.exe /set {default} optionsedit false" ​​ #sets boot timeout out to zero cmd.exe /c "bcdedit.exe /timeout 0" ​ ​

There are 2 methods for hiding the C: or any other drive, GPO and a Regedt32 tweak. ​ There's obvious benefits preventing access to browse the System Drive like being able to Explore to a file and run it. However hiding C: needs to be considered as only part of the solution to prevent access. Its still possible to open PowerShell and cmd then 'cd' without restrictions, create desktop shortcuts to a named file and many others. Even after locking all routes down the audio control icon, assuming the user requires sound control provides a route into browsing the system. ​ There are,It's# .Synopsis Remove access to C: ​ .Description ​ Removes access to the C:\ by setting NoDrives and the value of 4 in the registry or set the User GPO settings 'Prevent access to drives from My Computer'. ​ .Version #> #Hides C for all users including Administrator New-ItemProperty -path 'HKLM:/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/Explorer' -Name NoDrives -PropertyType DWORD -Value 4 ​ #Hides C for the user the setting is applied against. ​ New-ItemProperty -path 'HKCU:/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/Explorer' -Name NoDrives -PropertyType DWORD -Value 4 ​ User GPO Settings ​

Device Guard has the following requirements: Hardware Requirements UEFI Native Mode Windows 10/2016 x64 SLAT and Virtualization Extensions (Intel VT or AMD V) TPM ​ Windows Features Windows Defender Application Guard (Isolation mode prior to 1703) Hyper-V Platform (Not required after 1603) Hyper-V Hypervisor ​ GPO Settings Computer Configuration > Administrative Templates > System > Device Guard Turn on Virtualization Based Security (enable) Secure Boot and DMA Protection Enable Virtualization Based Protection of Code Deploy Code Integrity Policy (enable) C:\DeviceGuard\SIPolicy.p7b ​ (C:\DeviceGuard\SIPolicy.p7b is automatically copied and converted to C:\Windows\System32\Codeintegrity\) ​ From PowerShell execute Invoke-CimMethod -Namespace root/Microsoft/Windows/CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName update -Arguments @{filepath = "C:\Windows\system32\CodeIntegrity\SIPolicy.p7b"} The system will create SIPolicy.p7b and a reboot will enforce Device Guard. ​ To create a Device Guard Policy run the following. ​ <# .Synopsis ​ .Description ​ .Version #> #Sets Working Folder for DG $CIPolicyPath = "C:\DeviceGuard" ​ #C:\DeviceGuard\InitalScan.xml $IntialCIPolicy = $CIPolicyPath+"\initialScan.xml" ​ #C:\DeviceGuard\SIPolicy.p7b $CIPolicyBin = $CIPolicyPath+"\SIPolicy.p7b" ​ #C:\DeviceGuard\CIPolicy.txt - Output from initial policy audit $CIPolicyTxt = $CIPolicyPath+"\CIPolicy.txt" ​ #Creates SIPolicy.p7b based on the IntialCIPolicy.xml New-CIPolicy -Level FilePublisher -Fallback Hash -FilePath $IntialCIPolicy -UserPEs 3> $CIPolicyTxt -ScanPath C:\ ​ #Enforces UMCI Set-RuleOption -FilePath $IntialCIPolicy -Option 0 #Enforcement Mode enabled Set-RuleOption -FilePath $IntialCIPolicy -Option 3 -delete ​ #Converts the audit to a p7b file copies to C:\DeviceGuard\ #GPO is set to move SIPolicy.p7b to C:\Windows\System32\CodeIntegrity ConvertFrom-CIPolicy -XmlFilePath $IntialCIPolicy -BinaryFilePath $CIPolicyBin ​ #Enable DG to enforce Invoke-CimMethod -Namespace root/Microsoft/Windows/CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName update -Arguments @{filepath = "C:\Windows\System32\CodeIntegrity\SIPolicy.p7b"}