api0cradle · February 24, 2020 07:29 · Feb 22, 2020 · Oct 27, 2018 · Oct 27, 2018 · Oct 27, 2018
diff --git a/windows_hardening.cmd b/windows_hardening.cmd
@@ -11,21  11,47 @@ ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
 ::
 ::#######################################################################
 ::
-:: Enable ASR rules in Win10 1709 ExploitGuard to mitigate Offic malspam
 :: Enable ASR rules in Win10 1709 ExploitGuard to mitigate Office malspam
 :: Blocks Office childprocs, Office proc injection, Office win32 api calls & executable content creation
 :: Note these only work when Defender is your primary AV
 :: Source: https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
 :: Source: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
 :: Source: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction
 :: Easy methods to test rules https://demo.wd.microsoft.com/?ocid=cx-wddocs-testground
 :: Resource on the rules and associated event IDs https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/event-views
 :: ---------------------
 :: Reset Defender to defaults. Commented out but available for reference
 ::%programfiles%\"Windows Defender"\MpCmdRun.exe -RestoreDefaults
 ::
 :: Block Office Child Process Creation 
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
 :: Block Process Injection
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
 :: Block Win32 API calls in macros
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled
 :: Block Office from creating executables
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
 :: Block execution of potentially obfuscated scripts
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
 :: Block executable content from email client and webmail
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
 :: Block JavaScript or VBScript from launching downloaded executable content
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
-powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled
 :: Block lsass cred theft
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
 :: Block untrusted and unsigned processes that run from USB
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled
 :: Block Adobe Reader from creating child processes
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Enabled
 :: Block persistence through WMI event subscription
 :: This one is commented out as it is currently not supported by MS
 :: powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Enabled
 :: Block process creations originating from PSExec and WMI commands
 :: This one is commented out as it is currently not supported by MS
 ::powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled
 :: Block executable files from running unless they meet a prevalence, age, or trusted list criterion
 :: This one is commented out for now as I need to research and test more to determine potential impact
 :: powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25 -AttackSurfaceReductionRules_Actions Enabled
 ::
 ::Enable Windows Defender sandboxing
 ::Source: https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/
@@ -41,12  67,11 @@ setx /M MP_FORCE_USE_SANDBOX 1
 ::Enable Defender exploit protection
 ::Source: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection
 ::
-powershell.exe Set-Processmitigation -System -Enable DEP,CFG,ForceRelocateImages,BottomUp,SEHOP
 powershell.exe Set-Processmitigation -System -Enable DEP,BottomUp,SEHOP
 ::
-::Use ASR to blocked cred theft from lsass and unsigned procs from running from USB
 :: The following variant also enables forced ASLR and CFG but causes issues with several third party apps
 ::powershell.exe Set-Processmitigation -System -Enable DEP,CFG,ForceRelocateImages,BottomUp,SEHOP
 ::
-powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
-powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled
 ::#######################################################################
 ::
 :: Harden all version of MS Office itself against common malspam attacks
@@ -100,8  125,8 @@ powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWind
 ::
 ::#######################################################################
 ::
-:: Harden lsass to help protect against credential dumping (mimikatz)
-:: Configures lsass.exe as a protected process and disabled wdigest
 :: Harden lsass to help protect against credential dumping (mimikatz) and audit lsass access requests
 :: Configures lsass.exe as a protected process and disables wdigest
 :: Source: https://technet.microsoft.com/en-us/library/dn408187(v=ws.11).aspx
 :: ---------------------
 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe" /v AuditLevel /t REG_DWORD /d 00000008 /f
@@ -134,9  159,9 @@ Netsh.exe advfirewall firewall add rule name="Block hh.exe netconns" program="%s
 ::
 :: Uninstall unneeded apps
 :: ---------------------
-wmic.exe /interactive:off product where "name like 'Adobe Air%' and version like'%'" call uninstall
-wmic.exe /interactive:off product where "name like 'Adobe Flash%' and version like'%'" call uninstall
-wmic.exe /interactive:off product where "name like 'Java%' and version like'%'" call uninstall
 ::wmic.exe /interactive:off product where "name like 'Adobe Air%' and version like'%'" call uninstall
 ::wmic.exe /interactive:off product where "name like 'Adobe Flash%' and version like'%'" call uninstall
 ::wmic.exe /interactive:off product where "name like 'Java%' and version like'%'" call uninstall
 ::#######################################################################
 ::
 :: Uninstall pups

diff --git a/windows_hardening.cmd b/windows_hardening.cmd
@@ -34,8  34,9 @@ setx /M MP_FORCE_USE_SANDBOX 1
 ::
 ::Enable Windows Defender Application Guard
 ::Source: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard 
 :: This setting is commented out as it eanbles subset of DC/CG which renders other virtualization products unsuable. Can be enabled if you don't use
 ::
-powershell.exe Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard -norestart
 ::powershell.exe Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard -norestart
 ::
 ::Enable Defender exploit protection
 ::Source: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection

diff --git a/windows_hardening.cmd b/windows_hardening.cmd
@@ -37,6  37,11 @@ setx /M MP_FORCE_USE_SANDBOX 1
 ::
 powershell.exe Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard -norestart
 ::
 ::Enable Defender exploit protection
 ::Source: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection
 ::
 powershell.exe Set-Processmitigation -System -Enable DEP,CFG,ForceRelocateImages,BottomUp,SEHOP
 ::
 ::Use ASR to blocked cred theft from lsass and unsigned procs from running from USB
 ::
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled

diff --git a/windows_hardening.cmd b/windows_hardening.cmd
@@ -35,7  35,7 @@ setx /M MP_FORCE_USE_SANDBOX 1
 ::Enable Windows Defender Application Guard
 ::Source: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard 
 ::
-powershell.exe Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
 powershell.exe Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard -norestart
 ::
 ::Use ASR to blocked cred theft from lsass and unsigned procs from running from USB
 ::
@@ -88,9  88,9 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1
 reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 1 /f
 net stop WinRM
 wmic /interactive:off nicconfig where TcpipNetbiosOptions=1 call SetTcpipNetbios 2
-powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
-powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2
-powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
 powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -norestart
 powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -norestart
 powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -norestart
 ::
 ::#######################################################################
 ::

diff --git a/windows_hardening.cmd b/windows_hardening.cmd
@@ -28,9  28,15 @@ powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-4
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled
 ::
 ::Enable Windows Defender sandboxing
 ::Source: https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/
 ::
 setx /M MP_FORCE_USE_SANDBOX 1
 ::
 ::Enable Windows Defender Application Guard
 ::Source: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard 
 ::
 powershell.exe Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
 ::
 ::Use ASR to blocked cred theft from lsass and unsigned procs from running from USB
 ::
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled

diff --git a/windows_hardening.cmd b/windows_hardening.cmd
@@ -19,14  19,18 @@ ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
 :: ---------------------
 ::%programfiles%\"Windows Defender"\MpCmdRun.exe -RestoreDefaults
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
-powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions enable
-powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions enable
-powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions enable
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled
 ::
 ::Enable Windows Defender sandboxing
 ::
 setx /M MP_FORCE_USE_SANDBOX 1
 ::
 ::Use ASR to blocked cred theft from lsass and unsigned procs from running from USB
 ::
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
@@ -105,6  109,7 @@ Netsh.exe advfirewall firewall add rule name="Block mshta.exe netconns" program=
 Netsh.exe advfirewall firewall add rule name="Block wscript.exe netconns" program="%systemroot%\system32\wscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
 Netsh.exe advfirewall firewall add rule name="Block cscript.exe netconns" program="%systemroot%\system32\cscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
 Netsh.exe advfirewall firewall add rule name="Block runscripthelper.exe netconns" program="%systemroot%\system32\runscripthelper.exe" protocol=tcp dir=out enable=yes action=block profile=any
 Netsh.exe advfirewall firewall add rule name="Block hh.exe netconns" program="%systemroot%\system32\hh.exe" protocol=tcp dir=out enable=yes action=block profile=any
 ::
 ::#######################################################################
 ::

diff --git a/windows_hardening.cmd b/windows_hardening.cmd
@@ -25,11  25,7 @@ powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
-powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled
-powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
-powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
-
 ::
 ::Use ASR to blocked cred theft from lsass and unsigned procs from running from USB
 ::

diff --git a/windows_hardening.cmd b/windows_hardening.cmd
@@ -15,6  15,7 @@ ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
 :: Blocks Office childprocs, Office proc injection, Office win32 api calls & executable content creation
 :: Note these only work when Defender is your primary AV
 :: Source: https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
 :: Source: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
 :: ---------------------
 ::%programfiles%\"Windows Defender"\MpCmdRun.exe -RestoreDefaults
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled

diff --git a/windows_hardening.cmd b/windows_hardening.cmd
@@ -20,10  20,15 @@ ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions enable
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions enable
-powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids '3B576869-A4EC-4529-8536-B80A7769E899' -AttackSurfaceReductionRules_Actions enable
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions enable
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
 
 ::
 ::Use ASR to blocked cred theft from lsass and unsigned procs from running from USB
 ::

diff --git a/windows_hardening.cmd b/windows_hardening.cmd
@@ -25,6  25,10 @@ powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
 ::
 ::Use ASR to blocked cred theft from lsass and unsigned procs from running from USB
 ::
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled
 ::#######################################################################
 ::
 :: Harden all version of MS Office itself against common malspam attacks
@@ -118,7  122,7 @@ wmic.exe /interactive:off product where "name like 'Java%' and version like'%'"
 ::
 :: Uninstall pups
 :: ---------------------
-wmic.exe /interactive:off product where "name like 'Ask Part%' and version like'%'" call uninstall
-wmic.exe /interactive:off product where "name like 'searchAssistant%' and version like'%'" call uninstall
-wmic.exe /interactive:off product where "name like 'Weatherbug%' and version like'%'" call uninstall
-wmic.exe /interactive:off product where "name like 'ShopAtHome%' and version like'%'" call uninstall
 :: wmic.exe /interactive:off product where "name like 'Ask Part%' and version like'%'" call uninstall
 :: wmic.exe /interactive:off product where "name like 'searchAssistant%' and version like'%'" call uninstall
 :: wmic.exe /interactive:off product where "name like 'Weatherbug%' and version like'%'" call uninstall
 :: wmic.exe /interactive:off product where "name like 'ShopAtHome%' and version like'%'" call uninstall
diff --git a/windows_hardening.cmd b/windows_hardening.cmd
@@ -111,14  111,14 @@ Netsh.exe advfirewall firewall add rule name="Block runscripthelper.exe netconns
 ::
 :: Uninstall unneeded apps
 :: ---------------------
-wmic.exe /interactive:off product where "name like 'Adobe Air%' and version like'%'" call unininstall
-wmic.exe /interactive:off product where "name like 'Adobe Flash%' and version like'%'" call unininstall
-wmic.exe /interactive:off product where "name like 'Java%' and version like'%'" call unininstall
 wmic.exe /interactive:off product where "name like 'Adobe Air%' and version like'%'" call uninstall
 wmic.exe /interactive:off product where "name like 'Adobe Flash%' and version like'%'" call uninstall
 wmic.exe /interactive:off product where "name like 'Java%' and version like'%'" call uninstall
 ::#######################################################################
 ::
 :: Uninstall pups
 :: ---------------------
-wmic.exe /interactive:off product where "name like 'Ask Part%' and version like'%'" call unininstall
-wmic.exe /interactive:off product where "name like 'searchAssistant%' and version like'%'" call unininstall
-wmic.exe /interactive:off product where "name like 'Weatherbug%' and version like'%'" call unininstall
-wmic.exe /interactive:off product where "name like 'ShopAtHome%' and version like'%'" call unininstall
 wmic.exe /interactive:off product where "name like 'Ask Part%' and version like'%'" call uninstall
 wmic.exe /interactive:off product where "name like 'searchAssistant%' and version like'%'" call uninstall
 wmic.exe /interactive:off product where "name like 'Weatherbug%' and version like'%'" call uninstall
 wmic.exe /interactive:off product where "name like 'ShopAtHome%' and version like'%'" call uninstall
diff --git a/windows_hardening.cmd b/windows_hardening.cmd
@@ -16,6  16,7 @@ ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
 :: Note these only work when Defender is your primary AV
 :: Source: https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
 :: ---------------------
 ::%programfiles%\"Windows Defender"\MpCmdRun.exe -RestoreDefaults
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions enable
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions enable
@@ -69,6  70,7 @@ reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options\WordMail" /v DontUpdat
 reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 1 /f
 reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 0 /f
 reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 1 /f
 net stop WinRM
 wmic /interactive:off nicconfig where TcpipNetbiosOptions=1 call SetTcpipNetbios 2
 powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
 powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2
@@ -87,8  89,9 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v Use
 ::#######################################################################
 ::
 :: Enable Windows Firewall and configure some advanced options
 :: Block Win32 binaries from making netconns when they shouldn't
 :: ---------------------
-NetSh Advfirewall set allrprofiles state on
 NetSh Advfirewall set allprofiles state on
 Netsh.exe advfirewall firewall add rule name="Block Notepad.exe netconns" program="%systemroot%\system32\notepad.exe" protocol=tcp dir=out enable=yes action=block profile=any
 Netsh.exe advfirewall firewall add rule name="Block regsvr32.exe netconns" program="%systemroot%\system32\regsvr32.exe" protocol=tcp dir=out enable=yes action=block profile=any
 Netsh.exe advfirewall firewall add rule name="Block calc.exe netconns" program="%systemroot%\system32\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any

diff --git a/windows_hardening.cmd b/windows_hardening.cmd
@@ -69,7  69,6 @@ reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options\WordMail" /v DontUpdat
 reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 1 /f
 reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 0 /f
 reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 1 /f
-net stop WinRM
 wmic /interactive:off nicconfig where TcpipNetbiosOptions=1 call SetTcpipNetbios 2
 powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
 powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2

diff --git a/windows_hardening.cmd b/windows_hardening.cmd
@@ -0,0  1,122 @@
 ::
 ::#######################################################################
 ::
 :: Change file associations to protect against common ransomware attacks
 :: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
 :: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :) 
 :: ---------------------
 ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
 ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
 ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
 ::
 ::#######################################################################
 ::
 :: Enable ASR rules in Win10 1709 ExploitGuard to mitigate Offic malspam
 :: Blocks Office childprocs, Office proc injection, Office win32 api calls & executable content creation
 :: Note these only work when Defender is your primary AV
 :: Source: https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
 :: ---------------------
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions enable
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions enable
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids '3B576869-A4EC-4529-8536-B80A7769E899' -AttackSurfaceReductionRules_Actions enable
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
 powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
 ::
 ::#######################################################################
 ::
 :: Harden all version of MS Office itself against common malspam attacks
 :: Disables Macros, enables ProtectedView
 :: Source: https://decentsecurity.com/block-office-macros/
 :: ---------------------
 reg add "HKCU\Software\Policies\Microsoft\Office\12.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f
 reg add "HKCU\Software\Policies\Microsoft\Office\12.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f
 reg add "HKCU\Software\Policies\Microsoft\Office\14.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f
 reg add "HKCU\Software\Policies\Microsoft\Office\14.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f
 reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Outlook\Security" /v markinternalasunsafe /t REG_DWORD /d 0 /f
 reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Word\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
 reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Excel\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
 reg add "HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
 reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f
 reg add "HKCU\Software\Policies\Microsoft\Office\15.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f
 reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Outlook\Security" /v markinternalasunsafe /t REG_DWORD /d 0 /f
 reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
 reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Excel\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
 reg add "HKCU\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security" /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 /f
 reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security" /v vbawarnings /t REG_DWORD /d 4 /f
 reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Publisher\Security" /v vbawarnings /t REG_DWORD /d 4 /f
 ::
 ::#######################################################################
 ::
 :: Harden all version of MS Office itself against DDE malspam attacks
 :: Disables Macros, enables ProtectedView
 :: Source: https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b
 :: ---------------------
 ::
 reg add "HKCU\Software\Microsoft\Office\14.0\Word\Options" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
 reg add "HKCU\Software\Microsoft\Office\14.0\Word\Options\WordMail" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
 reg add "HKCU\Software\Microsoft\Office\15.0\Word\Options" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
 reg add "HKCU\Software\Microsoft\Office\15.0\Word\Options\WordMail" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
 reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
 reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options\WordMail" /v DontUpdateLinks /t REG_DWORD /d 00000001 /f
 ::#######################################################################
 ::
 :: General OS hardening
 :: Disables DNS multicast, smbv1, netbios, powershellv2
 :: Enables UAC
 :: ---------------------
 reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 1 /f
 reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 0 /f
 reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 1 /f
 net stop WinRM
 wmic /interactive:off nicconfig where TcpipNetbiosOptions=1 call SetTcpipNetbios 2
 powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
 powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2
 powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
 ::
 ::#######################################################################
 ::
 :: Harden lsass to help protect against credential dumping (mimikatz)
 :: Configures lsass.exe as a protected process and disabled wdigest
 :: Source: https://technet.microsoft.com/en-us/library/dn408187(v=ws.11).aspx
 :: ---------------------
 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe" /v AuditLevel /t REG_DWORD /d 00000008 /f
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 00000001 /f
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f
 ::
 ::#######################################################################
 ::
 :: Enable Windows Firewall and configure some advanced options
 :: ---------------------
 NetSh Advfirewall set allrprofiles state on
 Netsh.exe advfirewall firewall add rule name="Block Notepad.exe netconns" program="%systemroot%\system32\notepad.exe" protocol=tcp dir=out enable=yes action=block profile=any
 Netsh.exe advfirewall firewall add rule name="Block regsvr32.exe netconns" program="%systemroot%\system32\regsvr32.exe" protocol=tcp dir=out enable=yes action=block profile=any
 Netsh.exe advfirewall firewall add rule name="Block calc.exe netconns" program="%systemroot%\system32\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any
 Netsh.exe advfirewall firewall add rule name="Block mshta.exe netconns" program="%systemroot%\system32\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any
 Netsh.exe advfirewall firewall add rule name="Block wscript.exe netconns" program="%systemroot%\system32\wscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
 Netsh.exe advfirewall firewall add rule name="Block cscript.exe netconns" program="%systemroot%\system32\cscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
 Netsh.exe advfirewall firewall add rule name="Block runscripthelper.exe netconns" program="%systemroot%\system32\runscripthelper.exe" protocol=tcp dir=out enable=yes action=block profile=any
 ::
 ::#######################################################################
 ::
 :: Update Flash
 :: ---------------------
 ::%WINDIR%\system32\macromed\flash\FlashUtil_ActiveX.exe -update activex
 ::%WINDIR%\system32\macromed\flash\FlashUtil_Plugin.exe -update plugin
 ::
 ::#######################################################################
 ::
 :: Uninstall unneeded apps
 :: ---------------------
 wmic.exe /interactive:off product where "name like 'Adobe Air%' and version like'%'" call unininstall
 wmic.exe /interactive:off product where "name like 'Adobe Flash%' and version like'%'" call unininstall
 wmic.exe /interactive:off product where "name like 'Java%' and version like'%'" call unininstall
 ::#######################################################################
 ::
 :: Uninstall pups
 :: ---------------------
 wmic.exe /interactive:off product where "name like 'Ask Part%' and version like'%'" call unininstall
 wmic.exe /interactive:off product where "name like 'searchAssistant%' and version like'%'" call unininstall
 wmic.exe /interactive:off product where "name like 'Weatherbug%' and version like'%'" call unininstall
 wmic.exe /interactive:off product where "name like 'ShopAtHome%' and version like'%'" call unininstall