Host Security Solutions
Host Security Solutions refer to a set of Software Tools and Technologies designed to protect individual Computer Systems or Hosts from various Security Threats. These solutions are typically installed on the Host or endpoint itself, providing Security measures to safeguard the Operating System, Applications, and Data residing on the System.
- Antivirus Software
- Microsoft Windows Defender
- Host-Based Firewall
- Security Event Logging and Monitoring
- Host-Based Intrusion Detection System (HIDS). Host-Based Intrusion Prevention System (HIPS)
- Endpoint Detection and Response (EDR)
Antivirus Software
Antivirus Software, also known as Anti-Malware, is designed to Monitor, Detect, and Prevent the Execution of Malicious Software on a Computer. It utilizes various features such as Background Scanning, Full System Scans, and Virus Definitions.
Background Scanning involves Real-Time Monitoring and Scanning of all Open and used Files. A Full System Scan is important during initial Antivirus Installation. Virus Definitions are Pre-Defined patterns that Antivirus Software uses to identify known Viruses. Therefore, regular Updates are necessary to keep Antivirus Software effective in responding to new Threats.
Detection Techniques
| Name | Description |
|---|---|
| Signature-Based | Is a traditional method used by Antivirus Software to Identify Malicious Files. Infected Files are submitted for Analysis, and if confirmed as Malicious, their Signatures are added to the Antivirus Database. The Software compares Scanned Files to the Database, and if a match is found, it is considered a Threat. |
| Heuristic-Based | Uses Machine Learning to decide whether we have the Malicious file or not. It Scans and Statically Analyses in Real-Time in order to find Suspicious Properties in the Application's Code or check whether it uses uncommon Windows or system API's. It does not rely on the Signature-Based Attack in making the decisions, or sometimes it does. This depends on the implementation of the Antivirus Software. |
| Behavior-Based | Relies on Monitoring and Examining the execution of Applications to find Abnormal Behaviors and Uncommon Activities, such as Creating - Updating Values in Registry Keys, Killing - Creating Processes, etc. |
Windows Servers may not have SecurityCenter2 Namespace which may not Work. However the Commands below should always work on Windows Workstations.
- CMD
- PSH
:: Enumerating Antivirus Software
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /format:list
# Enumerating Antivirus Software
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
Microsoft Windows Defender
Microsoft Windows Defender is a Built-In Antivirus Tool for Windows. It employs advanced techniques like Machine Learning, Big Data Analysis, and Cloud Infrastructure to Detect and Protect against Malware and Viruses. It operates in Three Modes: Active - Passive - Disable.
- Service Information
- Windows Defender Information
# Check the Service State of Windows Defender
Get-Service WinDefend
# Gets the Status of Anti-Malware Software
Get-MpComputerStatus
# Gets the Preferences for the Windows Defender Scans and Updates
Get-MpPreference
# Gets the History of Threats Detected
Get-MpThreat
# Gets Active and past Malware Threats that Windows Defender Detected
Get-MpThreatDetection
Protection Modes
| Name | Description |
|---|---|
| Active | Used where the MS Defender runs as the primary Antivirus Software on the Machine where it provides Protection and Remediation. |
| Passive | Allows Windows Defender to Monitor and Collect Information about potential Threats without taking immediate action. It doesn't actively Scan or Remove Malware, but it can still Log and Report Suspicious Activities for Analysis. |
| Disable | Completely turns off Windows Defender's Real-Time Protection. It Disables all Scanning and Monitoring features, leaving the System Vulnerable to Malware and Viruses. |
Host-Based Firewall
The main purpose of the Host-Based Firewall is to control the Inbound and Outbound Traffic that goes through the Device's Interface. It Protects the Host from untrusted Devices that are on the same Network. A Modern Host-Based Firewall uses multiple levels of Analyzing Traffic, including Packet Analysis, while establishing the Connection.
The Firewall controls Network Access by Allowing or Denying Network Packets. It operates at the Network Layer and can Block specific types of Packets, like ICMP Packets used in ping Commands. Advanced Firewalls can inspect other layers, such as the Application layer, enabling them to Detect and Prevent attacks like SQL Injection.
Administrators- Firewall Status
- Firewall Settings
# Displays Settings that Apply to the Per-Profile Configurations of the Windows Firewall with Advanced Security
Get-NetFirewallProfile | Format-Table Name, Enabled
# Show Current Firewall Rules
Get-NetFirewallRule | select DisplayName, Enabled, Description
# Disable Firewall for [Domain - Public - Private] Profiles
Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
During the Pentesting if we have no Idea what the Firewall Blocks. We can take advantage of some PowerShell cmdlets such as Test-NetConnection - TcpClient.
# [Test-NetConnection] Testing Outbound Connection
# We can also test for Remote Targets in the same Network or Domain Names by Specifying in the [-ComputerName]
Test-NetConnection -ComputerName 127.0.0.1 -Port 80
# [TcpClient]
(New-Object System.Net.Sockets.TcpClient("127.0.0.1", "80")).Connected
Security Event Logging and Monitoring
By default, Operating Systems log various Activity Events in the System using log files. The Event Logging feature is available to the IT System and Network Administrators to Monitor and Analyze important Events, whether on the Host or the Network side. In cooperating Networks, Security Teams utilize the Logging Event technique to Track and Investigate Security Incidents.
There are various categories where the Windows Operating System logs Event Information, including the Application, System, Security, Services, etc. In addition, Security and Network Devices store Event Information into log files to allow the System Administrators to get an insight into what is going on.
# Get a list of available Event Logs on the Local Machine
Get-EventLog -List
System Monitor
Windows System Monitor Sysmon is a Service and Device Driver. It is one of the Microsoft Sysinternals Suites. It is not Installed by Default but it starts gathering and Logging Events once Installed.
One of the great features of the Sysmon Tool is that it can log many Important Events, and you can also create your own rule's and Configuration to Monitor.
- Process Creation and Termination
- Network Connections
- Modification on File
- Remote Threats
- Process and Memory Access
- ...
The following are some of the Commands that can be used to detect if Sysmon is available in the Machine.
Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }
Get-CimInstance win32_service -Filter "Description = 'System Monitor service'"
Get-Service | Where-Object {$_.DisplayName -like "*sysm*"}
Once we detect it, we can try to find the Sysmon Configuration File if we have Readable Permission to understand what System Administrators are Monitoring.
findstr /si '<ProcessCreate onmatch="exclude">' C:\tools\*