search

digitalsleuth / winfor-salt

Windows Forensics Salt States
16 stars 5 forks source link

[Suggestion] - Win10 Debloat - Security Settings #8

Closed angry-bender closed 1 year ago

angry-bender commented 1 year ago

Hey Mate,

Just making a suggestion for the debloat script on this one to leave windows defender and windows firewall as is. As i think that should be a concious decision by the end user :-).

I do note it can just be uncommented, but its still something I'd prefer to make obvious, particuarly if you accidentally detonate malz on your forensics machine

digitalsleuth commented 1 year ago

This is a good point, however AV won't protect you from detonating malware on your computer if you can't get it on your computer anyways with AV enabled :) Because of the nature of some of the tools, I have the debloat set to disable AV first, then install the tools (a few of which Defender sees as hacktools - ie: mimikatz, OfficeMalScanner, etc). Once everything is installed, there's nothing stopping the end user from re-enabling it though.

I'll give it some thought, and check the impact if enabled first. I'll keep this suggestion open while I review.

Cheers!

angry-bender commented 1 year ago

This is a good point, however AV won't protect you from detonating malware on your computer if you can't get it on your computer anyways with AV enabled :) Because of the nature of some of the tools, I have the debloat set to disable AV first, then install the tools (a few of which Defender sees as hacktools - ie: mimikatz, OfficeMalScanner, etc). Once everything is installed, there's nothing stopping the end user from re-enabling it though.

I'll give it some thought, and check the impact if enabled first. I'll keep this suggestion open while I review.

Cheers!

All good, I'm assuming it will also false positive things like sigma rules. Could be good to change the defender config to an exclusion path instead, and include that in the doco

digitalsleuth commented 1 year ago

I've been setting paths for those actually, I just have to make sure that everything is captured. Right now, I have a blanket "standalones" exception. I'm considering putting one on the tempdownload folder as well, but I'll need to modify the debloat to enable Defender with these exclusions to confirm I'm not missing anything.

digitalsleuth commented 1 year ago

So I did some testing and modified the debloat and states appropriately and everything seems to work well. Thanks for bringing this up!

angry-bender commented 1 year ago

So I did some testing and modified the debloat and states appropriately and everything seems to work well. Thanks for bringing this up!

That's awesome, no worries at all 🙂.