Link to this headingAntivirus

Link to this headingWindows Defender

Harden Windows Defender

Link to this headingMicrosoft Active Protection Service (MAPS)

Enable MAPS:

# Enable MAPS reporting (Advanced Membership) Set-MpPreference -MAPSReporting 2 # Automatic safe sample submission Set-MpPreference -SubmitSamplesConsent 1 # High blocking level Set-MpPreference -CloudBlockLevel 5 # Extended cloud timeout Set-MpPreference -CloudExtendedTimeout 50

Enable MAPS through Group Policy:

# Enable MAPS Advanced Membership Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Spynet" -Name "SpynetReporting" -Value 2 # Enable Block at First Sight Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Spynet" -Name "DisableBlockAtFirstSeen" -Value 0 # Configure sample submission (1 = send safe samples) Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Spynet" -Name "SubmitSamplesConsent" -Value 1 # Set high cloud protection level Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\MpEngine" -Name "MpCloudBlockLevel" -Value 6 # Configure extended cloud check timeout (50 seconds) Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\MpEngine" -Name "MpBafsExtendedTimeout" -Value 50

Enable Ransomware Protections:

# Enable Controlled Folder Access (Ransomware Protection) Set-MpPreference -EnableControlledFolderAccess Enabled # Add protected folders (optional) Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\Users\$env:USERNAME\Documents" Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\Users\$env:USERNAME\Pictures" # Allow specific applications through Controlled Folder Access Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\TrustedApp\app.exe"

Link to this headingConfiguration and Hardening

Set Update interval:

# Update signatures every hour Set-MpPreference -SignatureUpdateInterval 1 # Check for signatures before each scan Set-MpPreference -CheckForSignaturesBeforeRunningScan 1

Block security tools:

# Enable PUA protection Set-MpPreference -PUAProtection Enabled

Block Common Microsoft attack vectors:

# Enable Attack Surface Reduction rules $ASRRules = @{ "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550" = 1 # Block executable content from email client and webmail "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" = 1 # Block all Office applications from creating child processes "3B576869-A4EC-4529-8536-B80A7769E899" = 1 # Block Office applications from creating executable content "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84" = 1 # Block Office applications from injecting code into other processes "D3E037E1-3EB8-44C8-A917-57927947596D" = 1 # Block JavaScript or VBScript from launching downloaded executable content "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC" = 1 # Block execution of potentially obfuscated scripts } foreach ($rule in $ASRRules.GetEnumerator()) { Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" -Name $rule.Key -Value $rule.Value }

Additional resources:

For more Windows security configurations, see [Windows hardening](/Blue Team/Windows/Windows Hardning).