Ghost Ghost-Developmentx

## Windows-Defender.ps1
# Enable ASR rule to block credential stealing from LSASS
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled

# Block process creations from PSExec and WMI commands
Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled

# Block executable content from email client and webmail
Add-MpPreference -AttackSurfaceReductionRules_Ids be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 -AttackSurfaceReductionRules_Actions Enabled

# Verify ASR rules are enabled

## ASR-Policy-Config.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                Ghost-Developmentx
                / ASR-Policy-Config.md
            
            
              Created
              October 24, 2025 22:33
            
          
    Computer Configuration
→ Administrative Templates
→ Windows Components
→ Microsoft Defender Antivirus
→ Microsoft Defender Exploit Guard
→ Attack Surface Reduction
→ "Configure Attack Surface Reduction rules" = Enabled
Add rules:
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 1 (Block)

  
## Restrict-PowerShell.ps1
# Enable Constrained Language Mode globally
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

# Verify current language mode
$ExecutionContext.SessionState.LanguageMode

# Configure via Group Policy using AppLocker
# This prevents PowerShell from accessing dangerous .NET APIs

# Create AppLocker policy that enforces Constrained Language Mode

## detection-rules.yaml
title: LSASS Memory Dump via Comsvcs.dll
id: a49fa4d5-11db-418c-8473-1e014a74f0d6
status: stable
description: Detects LSASS memory dumping using comsvcs.dll MiniDump function
references:
    - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
author: Security Operations Team
date: 2025/10/24
tags:
    - attack.credential_access

## Honeypot.ps1
# Create honeypot user account
$honeyUsername = "administrator_backup"
$honeyPassword = ConvertTo-SecureString "P@ssw0rdBackup2025!" -AsPlainText -Force

# Create account with description to make it look legitimate
New-LocalUser -Name $honeyUsername -Password $honeyPassword -Description "Backup administrator account - DO NOT USE"
Add-LocalGroupMember -Group "Administrators" -Member $honeyUsername

# Set account to never expire
Set-LocalUser -Name $honeyUsername -PasswordNeverExpires $true

## Deploy-fake-credentials.ps1
# This technique injects fake credentials into LSASS
# When dumped, attackers will attempt to use fake credentials
# Triggering alerts when fake creds are used

# Note: Requires specialized tools like:
# - DCEPT (Active Directory honeypot)
# - Canarytokens
# - Commercial deception platforms (Illusive Networks, Attivo, etc.)

# Example using PowerShell (simplified concept):

## testing-framework.ps1
# Purple Team Testing Framework
function Test-LsassDefenses {
    [CmdletBinding()]
    param(
        [switch]$TestWDigest,
        [switch]$TestCredGuard,
        [switch]$TestPPL,
        [switch]$TestMonitoring,
        [switch]$TestASR,
        [switch]$GenerateReport

## Quick-deployment-script.ps1
# Quick deployment script for critical defenses
function Enable-LsassHardening {
    [CmdletBinding(SupportsShouldProcess)]
    param(
        [switch]$Force
    )

    if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
        Write-Error "This script requires Administrator privileges"
        return

## Lab-Environment.ps1
# Create isolated lab environment (Domain Controller + Workstation)
# Use Hyper-V, VMware, or VirtualBox

# Lab Architecture:
# 1. Domain Controller (DC01) - Windows Server 2022
# 2. Workstation (WS01) - Windows 11 Enterprise
# 3. Attacker box (Kali/Windows) - for testing tools
# 4. SIEM/Log collector (Ubuntu with ELK stack or Splunk)

# Network: Isolated virtual network (no internet access)

## Lab-Testing-Script.ps1
# Purple Team Lab Testing Framework
function Start-LsassLabTest {
    param(
        [Parameter(Mandatory)]
        [ValidateSet('Baseline', 'TaskManager', 'Comsvcs', 'ProcDump', 'DirectSyscall')]
        [string]$TestScenario,

        [string]$TargetHost = "WS01",
        [string]$SiemHost = "192.168.100.40",
        [int]$WaitTimeSeconds = 60
	# Enable ASR rule to block credential stealing from LSASS
	Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled

	# Block process creations from PSExec and WMI commands
	Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled

	# Block executable content from email client and webmail
	Add-MpPreference -AttackSurfaceReductionRules_Ids be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 -AttackSurfaceReductionRules_Actions Enabled

	# Verify ASR rules are enabled
	# Enable Constrained Language Mode globally
	$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

	# Verify current language mode
	$ExecutionContext.SessionState.LanguageMode

	# Configure via Group Policy using AppLocker
	# This prevents PowerShell from accessing dangerous .NET APIs

	# Create AppLocker policy that enforces Constrained Language Mode
	title: LSASS Memory Dump via Comsvcs.dll
	id: a49fa4d5-11db-418c-8473-1e014a74f0d6
	status: stable
	description: Detects LSASS memory dumping using comsvcs.dll MiniDump function
	references:
	- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
	author: Security Operations Team
	date: 2025/10/24
	tags:
	- attack.credential_access
	# Create honeypot user account
	$honeyUsername = "administrator_backup"
	$honeyPassword = ConvertTo-SecureString "P@ssw0rdBackup2025!" -AsPlainText -Force

	# Create account with description to make it look legitimate
	New-LocalUser -Name $honeyUsername -Password $honeyPassword -Description "Backup administrator account - DO NOT USE"
	Add-LocalGroupMember -Group "Administrators" -Member $honeyUsername

	# Set account to never expire
	Set-LocalUser -Name $honeyUsername -PasswordNeverExpires $true
	# This technique injects fake credentials into LSASS
	# When dumped, attackers will attempt to use fake credentials
	# Triggering alerts when fake creds are used

	# Note: Requires specialized tools like:
	# - DCEPT (Active Directory honeypot)
	# - Canarytokens
	# - Commercial deception platforms (Illusive Networks, Attivo, etc.)

	# Example using PowerShell (simplified concept):
	# Purple Team Testing Framework
	function Test-LsassDefenses {
	[CmdletBinding()]
	param(
	[switch]$TestWDigest,
	[switch]$TestCredGuard,
	[switch]$TestPPL,
	[switch]$TestMonitoring,
	[switch]$TestASR,
	[switch]$GenerateReport
	# Quick deployment script for critical defenses
	function Enable-LsassHardening {
	[CmdletBinding(SupportsShouldProcess)]
	param(
	[switch]$Force
	)

	if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
	Write-Error "This script requires Administrator privileges"
	return
	# Create isolated lab environment (Domain Controller + Workstation)
	# Use Hyper-V, VMware, or VirtualBox

	# Lab Architecture:
	# 1. Domain Controller (DC01) - Windows Server 2022
	# 2. Workstation (WS01) - Windows 11 Enterprise
	# 3. Attacker box (Kali/Windows) - for testing tools
	# 4. SIEM/Log collector (Ubuntu with ELK stack or Splunk)

	# Network: Isolated virtual network (no internet access)
	# Purple Team Lab Testing Framework
	function Start-LsassLabTest {
	param(
	[Parameter(Mandatory)]
	[ValidateSet('Baseline', 'TaskManager', 'Comsvcs', 'ProcDump', 'DirectSyscall')]
	[string]$TestScenario,

	[string]$TargetHost = "WS01",
	[string]$SiemHost = "192.168.100.40",
	[int]$WaitTimeSeconds = 60