- This is an impromptu checklist of sorts. Mostly what I plan to do during MWCCDC competition day. No set order, but more so the priority of tasks. Will fix this up to be more concrete later
¶ Setup and Harden Phase:
- Change the password (obviously)
- Set up logging
- Harden the systems
- Run hardening scripts on Windows and Windows Servers machines
- Do some manual Active Directory Hardening
- Turn on Windows Defender or/then download Malwarebytes
- Windows Firewall is pretty garbage but the main thing is turn it on lmfao (more info below)
- Download DeepBlueCLI for threat hunting
- Run incident response scripts
- Scan machine with winPEAS
- Use the downloaded sysinternals tools to monitor system
- tcpview (network analysis)
- procexp (process analysis)
- procmon (process analysis))
- sysmon (logging)
- Other tools:
- autoruns (I found this useful for the first qualifier)
- osquery
- Use DeepBlueCLI for threat hunting
- Will create its own section after doing more research on this post-competition
- Edit the firewall through group policy (for servers)
- Group Policy Management > GPO > Rt-click and edit
-
Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security.
- Might have to link GPO to specific OU (organizational unit) or complete an update
- If/when needed, you can set up basic rules like blocking IP addresses through Windows Firewall
- Viewing Firewall Logs
- Event Viewer > Windows Logs > Security > "Filter Current Log" > Event Sources (Windows Firewall) > Keywords (Audit Success and Failure) > OK
- Disable services by:
- Open 'services' > stop service > disable service
- There will be a lot of logs
- Log files reside in (windows event viewer):
C:\Windows\System32\winevt\Logs