Ghost Ghost-Developmentx

## Restrict-PowerShell.ps1
# Enable Constrained Language Mode globally
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

# Verify current language mode
$ExecutionContext.SessionState.LanguageMode

# Configure via Group Policy using AppLocker
# This prevents PowerShell from accessing dangerous .NET APIs

# Create AppLocker policy that enforces Constrained Language Mode

## ASR-Policy-Config.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                Ghost-Developmentx
                / ASR-Policy-Config.md
            
            
              Created
              October 24, 2025 22:33
            
          
    Computer Configuration
→ Administrative Templates
→ Windows Components
→ Microsoft Defender Antivirus
→ Microsoft Defender Exploit Guard
→ Attack Surface Reduction
→ "Configure Attack Surface Reduction rules" = Enabled
Add rules:
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 1 (Block)

  
## Windows-Defender.ps1
# Enable ASR rule to block credential stealing from LSASS
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled

# Block process creations from PSExec and WMI commands
Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled

# Block executable content from email client and webmail
Add-MpPreference -AttackSurfaceReductionRules_Ids be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 -AttackSurfaceReductionRules_Actions Enabled

# Verify ASR rules are enabled

## Simulated-attack-script.ps1
# RED TEAM SIMULATION - AUTHORIZED TESTING ONLY
# This script demonstrates a realistic attack chain

function Invoke-LsassDumpSimulation {
    param(
        [string]$OutputPath = "C:\temp\output.dmp",
        [switch]$UseComsvcs,
        [switch]$UseProcDump,
        [string]$C2Server = "attacker.evil.com"
    )

## Investigation-queries.ps1
# Timeline of events around LSASS access
Get-WinEvent -FilterHashtable @{
    LogName='Security','Microsoft-Windows-Sysmon/Operational'
    StartTime=(Get-Date).AddHours(-24)
} | Where-Object {
    $_.Message -match "lsass" -or
    $_.Id -in @(4656, 4663, 4688, 10)
} | Select-Object TimeCreated, Id, Message |
    Sort-Object TimeCreated |
    Format-Table -AutoSize

## Incident-Response.ps1
# 1. Identify compromised system
$compromisedHost = "WORKSTATION01"

# 2. Isolate the system (if EDR supports it)
# Most EDRs have CLI/API for network isolation

# 3. Force password resets for affected users
$affectedUsers = @("user1", "user2", "admin1")

foreach ($user in $affectedUsers) {

## safe-testing.ps1
# Test 1: Verify WDigest is disabled
$wdigest = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" `
    -Name "UseLogonCredential" -ErrorAction SilentlyContinue

if ($wdigest.UseLogonCredential -eq 0) {
    Write-Host "[PASS] WDigest is disabled" -ForegroundColor Green
} else {
    Write-Host "[FAIL] WDigest is enabled - plaintext passwords at risk!" -ForegroundColor Red
}

## Elastic-Security-Rule.json
{
  "rule": {
    "name": "Potential LSASS Memory Dump",
    "description": "Detects attempts to dump LSASS process memory",
    "severity": "critical",
    "risk_score": 90,
    "query": "event.code:(4656 or 4663 or 10) and winlog.event_data.ObjectName:*lsass.exe* and winlog.event_data.AccessMask:(0x1010 or 0x1410 or 0x1438) or (process.name:(*procdump* or rundll32.exe) and process.args:(*lsass* or *comsvcs.dll* or *MiniDump*)) or (file.name:*lsass*.dmp)",
    "filters": [
      {
        "meta": {

## Detect-LSASS-Dumps.kql
SecurityEvent
| where EventID in (4656, 4663)
| where ObjectName has "lsass.exe"
| where AccessMask in ("0x1010", "0x1410", "0x1438")
| project TimeGenerated, Computer, Account, ProcessName, ObjectName, AccessMask
| union (
    SecurityEvent
    | where EventID == 4688
    | where CommandLine has_all ("comsvcs.dll", "MiniDump")
    | project TimeGenerated, Computer, Account, ProcessName, CommandLine

## Detect-LSASS-Dumps.spl
index=windows sourcetype=WinEventLog:Security OR sourcetype=WinEventLog:Sysmon
(
  (EventCode=4656 OR EventCode=4663) ObjectName="*lsass.exe" AccessMask IN ("0x1010", "0x1410", "0x1438")
  OR
  (EventCode=1 CommandLine="*comsvcs.dll*" CommandLine="*MiniDump*")
  OR
  (EventCode=1 Image="*procdump*" CommandLine="*lsass*")
  OR
  (EventCode=1 ParentImage="*lsass.exe")
  OR
	# Enable Constrained Language Mode globally
	$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

	# Verify current language mode
	$ExecutionContext.SessionState.LanguageMode

	# Configure via Group Policy using AppLocker
	# This prevents PowerShell from accessing dangerous .NET APIs

	# Create AppLocker policy that enforces Constrained Language Mode
	# Enable ASR rule to block credential stealing from LSASS
	Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled

	# Block process creations from PSExec and WMI commands
	Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled

	# Block executable content from email client and webmail
	Add-MpPreference -AttackSurfaceReductionRules_Ids be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 -AttackSurfaceReductionRules_Actions Enabled

	# Verify ASR rules are enabled
	# RED TEAM SIMULATION - AUTHORIZED TESTING ONLY
	# This script demonstrates a realistic attack chain

	function Invoke-LsassDumpSimulation {
	param(
	[string]$OutputPath = "C:\temp\output.dmp",
	[switch]$UseComsvcs,
	[switch]$UseProcDump,
	[string]$C2Server = "attacker.evil.com"
	)
	# Timeline of events around LSASS access
	Get-WinEvent -FilterHashtable @{
	LogName='Security','Microsoft-Windows-Sysmon/Operational'
	StartTime=(Get-Date).AddHours(-24)
	} \| Where-Object {
	$_.Message -match "lsass" -or
	$_.Id -in @(4656, 4663, 4688, 10)
	} \| Select-Object TimeCreated, Id, Message \|
	Sort-Object TimeCreated \|
	Format-Table -AutoSize
	# 1. Identify compromised system
	$compromisedHost = "WORKSTATION01"

	# 2. Isolate the system (if EDR supports it)
	# Most EDRs have CLI/API for network isolation

	# 3. Force password resets for affected users
	$affectedUsers = @("user1", "user2", "admin1")

	foreach ($user in $affectedUsers) {
	# Test 1: Verify WDigest is disabled
	$wdigest = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" `
	-Name "UseLogonCredential" -ErrorAction SilentlyContinue

	if ($wdigest.UseLogonCredential -eq 0) {
	Write-Host "[PASS] WDigest is disabled" -ForegroundColor Green
	} else {
	Write-Host "[FAIL] WDigest is enabled - plaintext passwords at risk!" -ForegroundColor Red
	}
	{
	"rule": {
	"name": "Potential LSASS Memory Dump",
	"description": "Detects attempts to dump LSASS process memory",
	"severity": "critical",
	"risk_score": 90,
	"query": "event.code:(4656 or 4663 or 10) and winlog.event_data.ObjectName:lsass.exe and winlog.event_data.AccessMask:(0x1010 or 0x1410 or 0x1438) or (process.name:(procdump or rundll32.exe) and process.args:(lsass or comsvcs.dll or MiniDump)) or (file.name:lsass.dmp)",
	"filters": [
	{
	"meta": {
	SecurityEvent
	\| where EventID in (4656, 4663)
	\| where ObjectName has "lsass.exe"
	\| where AccessMask in ("0x1010", "0x1410", "0x1438")
	\| project TimeGenerated, Computer, Account, ProcessName, ObjectName, AccessMask
	\| union (
	SecurityEvent
	\| where EventID == 4688
	\| where CommandLine has_all ("comsvcs.dll", "MiniDump")
	\| project TimeGenerated, Computer, Account, ProcessName, CommandLine
	index=windows sourcetype=WinEventLog:Security OR sourcetype=WinEventLog:Sysmon
	(
	(EventCode=4656 OR EventCode=4663) ObjectName="*lsass.exe" AccessMask IN ("0x1010", "0x1410", "0x1438")
	OR
	(EventCode=1 CommandLine="comsvcs.dll" CommandLine="MiniDump")
	OR
	(EventCode=1 Image="procdump" CommandLine="lsass")
	OR
	(EventCode=1 ParentImage="*lsass.exe")
	OR