Security Posture Overview
MITRE ATT&CK endpoint assessment for DEMO-WS01
Enable Tamper Protection in Windows Security settings (2 minutes)
Set a strong password on the primary user account (1 minute)
Enable PowerShell Script Block Logging via registry (5 minutes)
Quote or remove the unused ASUS service path (2 minutes)
Restrict RDP to trusted IPs via Windows Firewall (10 minutes)
Assessment Scope
This assessment maps local system state to the MITRE ATT&CK Framework. 10 techniques were evaluated using deterministic PowerShell checks with zero-token data collection.
| Technique | Name | Tactic |
|---|---|---|
T1547 | Boot/Logon Autostart | Persistence |
T1078 | Valid Accounts | Credential Access |
T1046 | Network Service Discovery | Discovery |
T1562 | Impair Defenses | Defense Evasion |
T1053 | Scheduled Task/Job | Execution |
T1059 | Command and Scripting | Execution |
T1036 | Masquerading | Defense Evasion |
T1003 | OS Credential Dumping | Credential Access |
T1071 | Application Layer Protocol | Command and Control |
T1027 | Obfuscated Files | Defense Evasion |
Tactic Coverage Radar
Security posture across MITRE ATT&CK tactic dimensions
Security Findings
15 findings across 10 MITRE ATT&CK techniques
Windows Defender Tamper Protection Disabled
Tamper Protection prevents unauthorized modifications to Windows Defender settings, including real-time protection, cloud-delivered protection, and behavior monitoring. With tamper protection disabled, malware or a threat actor with local access could silently disable Defender without triggering alerts.
Evidence & Remediation
Get-MpComputerStatus | Select TamperProtection TamperProtectionSource: N/A IsTamperProtected: False Real-time protection: Enabled Behavior monitor: Enabled Signature age: 0 days (current)
Enable Tamper Protection via Windows Security > Virus & threat protection > Virus & threat protection settings > Tamper Protection = On. For managed environments, deploy via Intune: Endpoint security > Antivirus > Windows Security experience > Tamper Protection = Enable. Note: Tamper Protection requires cloud-delivered protection to be enabled.
Primary User Account Has No Password Requirement
The primary user account (admin-level) has no password requirement set. This means the account can be accessed without any credential, creating a critical authentication gap. Combined with RDP exposure, this could allow unauthenticated remote access to an administrator session.
Evidence & Remediation
Get-LocalUser | Where-Object { $_.Enabled -eq $true }
Name: User01 | PasswordRequired: False | PasswordExpires: Never | Enabled: True
Admin group membership confirmed: DEMO-WS01\User01 is a local administratorSet a strong password on the account immediately: net user User01 * (interactive prompt) Then enforce password policy: net accounts /minpwlen:12 /maxpwage:90 For enterprise management, deploy via Intune or Group Policy: Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
RDP Exposed on All Network Interfaces
Remote Desktop Protocol (port 3389) is listening on all interfaces (0.0.0.0 and ::), making it accessible from any network the host is connected to. Without Network Level Authentication (NLA) enforcement and combined with weak account passwords, this presents a significant attack surface for brute-force and credential-stuffing attacks.
Evidence & Remediation
Get-NetTCPConnection -State Listen | Where LocalPort -eq 3389 LocalAddress: 0.0.0.0 LocalPort: 3389 Process: svchost (PID 2000) LocalAddress: :: LocalPort: 3389 Process: svchost (PID 2000) Firewall profiles: Domain=Enabled, Private=Enabled, Public=Enabled
Restrict RDP access via Windows Firewall: 1. Create inbound rule allowing RDP only from trusted IPs/subnets 2. Enable NLA: System Properties > Remote > "Allow connections only from computers running Remote Desktop with Network Level Authentication" 3. Consider disabling RDP entirely if not needed, or restrict to VPN/Tailscale only For managed environments: Deploy RDP restrictions via Intune Endpoint Security > Attack surface reduction rules.
Windows Update Service Stopped
The Windows Update service (wuauserv) is currently stopped with a manual start type. While Windows 11 manages this service dynamically, a persistently stopped update service can delay critical security patches, leaving the system vulnerable to known exploits.
Evidence & Remediation
Get-Service wuauserv | Select Status, StartType Status: Stopped StartType: Manual Note: Windows 11 starts this service on-demand for update checks. Verify updates are being applied via Settings > Windows Update.
Verify update status: Settings > Windows Update > Check for updates. If updates are stale, restart the service: Start-Service wuauserv (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow() For managed environments: Verify Windows Update for Business or WSUS policies are applying correctly via Intune compliance policies.
PowerShell Script Block Logging Disabled
PowerShell Script Block Logging records the content of all script blocks that are processed, providing critical forensic evidence for incident response. Without this logging, malicious PowerShell execution (including deobfuscated commands) would not be captured in event logs, severely limiting detection and response capabilities.
Evidence & Remediation
Registry: HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging EnableScriptBlockLogging: Not configured (disabled) Module Logging: Also disabled Transcription: Disabled Language Mode: FullLanguage
Enable via Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on PowerShell Script Block Logging = Enabled Or via registry: New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Force Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Name 'EnableScriptBlockLogging' -Value 1 For managed environments: Deploy via Intune Settings Catalog > PowerShell Script Block Logging.
Credential Guard Not Fully Configured
Virtualization-Based Security (VBS) is enabled (DeviceGuard = 2) but Credential Guard services are not running (SecurityServicesRunning = [0]). This means LSASS credentials are not protected by hardware isolation, leaving them vulnerable to memory-scraping tools like Mimikatz. LSA Protection (RunAsPPL) is enabled, providing software-level protection, but hardware-backed Credential Guard offers stronger guarantees.
Evidence & Remediation
VirtualizationBasedSecurityStatus: 2 (Enabled) SecurityServicesRunning: [0] (None) SecurityServicesConfigured: [0] (None) LSA Protection (RunAsPPL): Enabled WDigest UseLogonCredential: 0 (plaintext passwords disabled)
Enable Credential Guard: 1. Verify hardware supports VBS: msinfo32 > Virtualization-based security 2. Enable via Group Policy: Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security > Credential Guard = Enabled with UEFI lock 3. Reboot required For managed environments: Deploy via Intune Endpoint Security > Account Protection > Credential Guard.
Broad Windows Defender Path Exclusions
Windows Defender has 10 path exclusions and 12 process exclusions configured. While some exclusions are necessary for development tools (Node.js, Git), broad exclusions on directories like Temp and user profile folders create blind spots where malware could execute undetected. Attackers frequently target excluded directories to evade endpoint protection.
Evidence & Remediation
Path Exclusions (10): - Development directories (source code repos) - Package manager caches (npm, fnm) - User temp directories - Local AppData temp Process Exclusions (12): - node.exe, npm.cmd, npx.cmd - git.exe, git-remote-https.exe - ssh.exe - File sync utilities - Various wildcard patterns
Review and minimize exclusions: 1. Remove broad temp directory exclusions — use specific process exclusions instead 2. Replace directory-level exclusions with file-type exclusions where possible 3. Audit: Get-MpPreference | Select-Object -ExpandProperty ExclusionPath Consider using ASR (Attack Surface Reduction) rules to compensate: Set-MpPreference -AttackSurfaceReductionRules_Ids <rule-id> -AttackSurfaceReductionRules_Actions Enabled For managed environments: Audit exclusions via Intune > Endpoint Security > Antivirus > Exclusions report.
Unquoted Service Path Vulnerability
The ASUS System Control Service has an unquoted service path containing spaces. While the service is currently disabled and stopped, unquoted paths allow privilege escalation if an attacker can place an executable at a path parsed before the intended binary (e.g., 'C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.22\AsSysCtrlService.exe' could be hijacked with 'C:\Program.exe').
Evidence & Remediation
Service: AsSysCtrlService Display: ASUS System Control Service Path: C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.22\AsSysCtrlService.exe State: Stopped StartMode: Disabled Path contains spaces but is not quoted.
Quote the service path:
sc.exe config AsSysCtrlService binPath= '"C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.22\AsSysCtrlService.exe"'
Or if the service is no longer needed (ASUS utility), remove it:
sc.exe delete AsSysCtrlService
Audit for other unquoted paths:
Get-CimInstance Win32_Service | Where-Object { $_.PathName -match '\s' -and $_.PathName -notmatch '"' }Primary User Password Never Expires
The primary user account has password expiry set to 'Never'. While modern guidance (NIST 800-63B) de-emphasises mandatory rotation, combining a never-expiring password with the finding that no password is required (DEM-002) means that if a password is eventually set, it would never be rotated, increasing the window for credential compromise.
Evidence & Remediation
Get-LocalUser User01 | Select PasswordExpires PasswordExpires: Never System password policy: Maximum password age: 42 days Minimum password length: 0 Lockout threshold: 10 attempts Lockout duration: 10 minutes Note: System policy enforces 42-day max age but the per-user setting overrides this.
Set password expiry on the account: Set-LocalUser -Name User01 -PasswordNeverExpires $false This will inherit the system password policy (42-day maximum age). For managed environments: Enforce via Intune compliance policy requiring password expiry aligned with organisational policy.
PostgreSQL Database Exposed on All Interfaces
PostgreSQL (port 5432) is listening on all network interfaces (0.0.0.0 and ::). Database services should typically bind to localhost or specific trusted interfaces only, as exposure to the network increases the attack surface for brute-force attacks against database credentials.
Evidence & Remediation
Get-NetTCPConnection -State Listen | Where LocalPort -eq 5432 LocalAddress: 0.0.0.0 LocalPort: 5432 Process: postgres (PID 8616) LocalAddress: :: LocalPort: 5432 Process: postgres (PID 8616) Context: Development workstation PostgreSQL instance.
Restrict PostgreSQL to localhost only: Edit postgresql.conf: listen_addresses = 'localhost' Restart PostgreSQL service If remote access is needed, use pg_hba.conf to restrict to specific IP addresses and require SSL connections. Alternatively, add Windows Firewall rules to block port 5432 from external networks.
PowerShell Module Logging Disabled
PowerShell Module Logging records pipeline execution details for specified modules, providing visibility into cmdlet usage patterns. While less critical than Script Block Logging, module logging helps detect reconnaissance and lateral movement commands (e.g., Get-ADUser, Invoke-Command).
Evidence & Remediation
Registry: HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging EnableModuleLogging: Not configured (disabled) Transcription logging: Also disabled
Enable via Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on Module Logging = Enabled Module Names: * (all modules) Or via registry: New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging' -Force Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging' -Name 'EnableModuleLogging' -Value 1
Service Running from User Profile Directory
The Cloudflared service is running from the user profile directory rather than a standard program installation path. While Cloudflared is a legitimate Cloudflare tunnel agent, services running from user-writable directories are more susceptible to binary replacement attacks, as the user profile has less restrictive ACLs than Program Files.
Evidence & Remediation
Service: Cloudflared Path: C:\Users\User01\cloudflared.exe State: Running Expected location: C:\Program Files\Cloudflare\cloudflared.exe
Move Cloudflared to a standard installation directory: 1. Stop the service: sc stop Cloudflared 2. Copy binary: Copy-Item cloudflared.exe 'C:\Program Files\Cloudflare\cloudflared.exe' 3. Update service path: sc config Cloudflared binPath= '"C:\Program Files\Cloudflare\cloudflared.exe" --config ...' 4. Start the service: sc start Cloudflared 5. Remove old binary from user profile Alternatively, install via winget: winget install Cloudflare.cloudflared
Three Local Administrator Accounts
The local Administrators group contains 3 members: the built-in Administrator account (disabled), a service account, and the primary user. While manageable, each administrator account increases the credential attack surface. Best practice is to minimise admin group membership and use standard accounts for daily operations.
Evidence & Remediation
Get-LocalGroupMember -Group 'Administrators' DEMO-WS01\Administrator (User, Local) — Disabled DEMO-WS01\SvcAccount01 (User, Local) — Enabled, password expires 2026-04-06 DEMO-WS01\User01 (User, Local) — Enabled, no password required Total enabled admin accounts: 2
Review admin group membership: 1. Verify SvcAccount01 requires admin privileges — if not, remove from Administrators group 2. Consider using a standard user account for daily operations and elevating via UAC when needed 3. For managed environments: Deploy LAPS (Local Administrator Password Solution) via Intune Audit regularly: Get-LocalGroupMember -Group 'Administrators'
PowerShell FullLanguage Mode Enabled
PowerShell is running in FullLanguage mode, which provides unrestricted access to all language features including .NET types, COM objects, and reflection. While this is the default and required for administrative workstations, Constrained Language Mode (CLM) on standard user endpoints limits the attack surface available to PowerShell-based malware.
Evidence & Remediation
$ExecutionContext.SessionState.LanguageMode FullLanguage Note: FullLanguage is expected on admin/developer workstations. CLM is recommended for standard user endpoints in managed environments.
For standard user endpoints (not admin/developer workstations): Deploy Constrained Language Mode via AppLocker or WDAC policy This finding is informational for admin workstations — no action required unless organisational policy mandates CLM. For managed environments: Deploy WDAC (Windows Defender Application Control) policies via Intune to enforce CLM on non-admin endpoints.
Multiple Autostart Persistence Entries
The system has 17 autostart entries across startup folders (7) and registry Run keys (10). All entries map to legitimate applications (productivity tools, communication apps, backup agents). While no malicious entries were found, the high count increases the noise floor for detecting rogue persistence, and each autostart entry adds to boot time and attack surface.
Evidence & Remediation
Startup Folder Items (7): ActivityWatch, Dell Display Manager (x2), OneNote, ShareX, RustDesk Tray, Tailscale Registry Run Keys (10): Discord, Backblaze, Spotify, Claude Desktop, Spark Desktop, MicroSIP, Teams, Todoist, NebulaTray, Discord (HKLM) WMI Event Subscriptions: 1 (SCM Event Log Filter — Windows built-in) All entries verified as legitimate software.
Review and reduce autostart entries: 1. Disable apps that don't need to start at boot (e.g., Spotify --autostart, Todoist) 2. Use Task Manager > Startup tab to manage impact 3. Consider removing duplicate entries (Discord appears in both HKCU and HKLM) Periodically audit: Get-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Risk Assessment
Findings mapped by likelihood and impact (columns: likelihood, rows: impact)
Boot/Logon Autostart Execution
19 autostart entries detected outside standard system paths
Registry Run Keys
| Name | Command | Location |
|---|---|---|
| Discord | "C:\Users\User01\AppData\Local\Discord\Update.exe" --processStart Discord.exe | HKCU |
| Backblaze | C:\PROGRA~2\BACKBL~1\bzbui.exe -quiet | HKCU |
| Spotify | C:\Users\User01\AppData\Roaming\Spotify\Spotify.exe --autostart --minimized | HKCU |
| Claude | "C:\Users\User01\AppData\Local\AnthropicClaude\claude.exe" --startup | HKCU |
| (default) | | HKCU |
| Spark Desktop | C:\Users\User01\AppData\Local\Programs\SparkDesktop\Spark Desktop.exe | HKCU |
| MicroSIP | "C:\Users\User01\AppData\Local\MicroSIP\microsip.exe" /minimized | HKCU |
| Teams | "C:\Users\User01\AppData\Local\Microsoft\WindowsApps\MSTeams_8wekyb3d8bbwe\ms-teams.exe" msteams:system-initiated | HKCU |
| com.todoist | C:\Users\User01\AppData\Local\Programs\todoist\Todoist.exe | HKCU |
| NebulaTray | "C:\Users\User01\.local\bin\nebula-tray.exe" | HKCU |
| Discord | C:\ProgramData\SquirrelMachineInstalls\Discord.exe --checkInstall | HKLM |
Startup Folder Items
| Name | Type | Location |
|---|---|---|
| ActivityWatch.lnk | .lnk | C:\Users\User01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup |
| DDM2.0.lnk | .lnk | C:\Users\User01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup |
| Send to OneNote.lnk | .lnk | C:\Users\User01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup |
| ShareX.lnk | .lnk | C:\Users\User01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup |
| Dell Display Manager.lnk | .lnk | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp |
| RustDesk Tray.lnk | .lnk | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp |
| Tailscale.lnk | .lnk | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp |
Local User Accounts
2 enabled accounts, 3 administrators
| Username | Enabled | Last Logon | Password Expires |
|---|---|---|---|
| Administrator | No | Never | Never |
| DefaultAccount | No | Never | Never |
| Guest | No | Never | Never |
| SvcAccount01 | Yes | 2026-02-24T06:09:13 | 2026-04-06T05:06:25 |
| User01 | Yes | 2026-03-06T06:00:01 | Never |
| WDAGUtilityAccount | No | Never | 2025-02-25T08:16:40 |
Account Anomalies
| User | Issue | Severity |
|---|---|---|
| User01 | Password never expires | medium |
| User01 | No password required | high |
Administrators Group
| Name | Type | Source |
|---|---|---|
| DEMO-WS01\Administrator | User | Local |
| DEMO-WS01\nx | User | Local |
| DEMO-WS01\Tom | User | Local |
Password Policy
max age
42
min length
0
lockout threshold
10
lockout duration
10
Network Service Discovery
31 non-loopback listeners, 4 high-risk services exposed
PostgreSQL (port 5432) — postgres
RDP (port 3389) — svchost
PostgreSQL (port 5432) — postgres
RDP (port 3389) — svchost
Listening Ports (non-system)
| Port | Address | Process | PID |
|---|---|---|---|
| 60811 | :: | Antigravity | 12800 |
| 49681 | :: | services | 1232 |
| 49670 | :: | spoolsv | 5764 |
| 49669 | :: | svchost | 4556 |
| 49668 | :: | svchost | 3668 |
| 49667 | :: | svchost | 3516 |
| 49665 | :: | wininit | 1152 |
| 32977 | fd00::1 | tailscaled | 9348 |
| 21119 | :: | hbbr | 9060 |
| 21118 | :: | hbbs | 9024 |
| 21117 | :: | hbbr | 9060 |
| 21116 | :: | hbbs | 9024 |
| 21115 | :: | hbbs | 9024 |
| 5432 | :: | postgres | 8616 |
| 5357 | :: | System | 4 |
| 3389 | :: | svchost | 2000 |
| 2179 | :: | vmms | 3336 |
| 55679 | 10.100.0.1 | tailscaled | 9348 |
| 49681 | 0.0.0.0 | services | 1232 |
| 49670 | 0.0.0.0 | spoolsv | 5764 |
| 49669 | 0.0.0.0 | svchost | 4556 |
| 49668 | 0.0.0.0 | svchost | 3668 |
| 49667 | 0.0.0.0 | svchost | 3516 |
| 49665 | 0.0.0.0 | wininit | 1152 |
| 9696 | 127.0.0.2 | System | 4 |
| 6699 | 0.0.0.0 | Obsidian | 16268 |
| 5432 | 0.0.0.0 | postgres | 8616 |
| 3389 | 0.0.0.0 | svchost | 2000 |
| 2179 | 0.0.0.0 | vmms | 3336 |
| 912 | 0.0.0.0 | vmware-authd | 6744 |
... and 1 more
Firewall Profiles
| Profile | Enabled | Inbound | Outbound |
|---|---|---|---|
| Domain | ✓ Yes | NotConfigured | NotConfigured |
| Private | ✓ Yes | NotConfigured | NotConfigured |
| Public | ✓ Yes | NotConfigured | NotConfigured |
Impair Defenses Assessment
2 defense anomalies detected
Severity: high
Severity: medium
Windows Defender Status
Real-Time Protection
✓ Enabled
Antivirus
✓ Enabled
Tamper Protection
✗ Disabled
Behavior Monitor
✓ Enabled
Cloud Protection
Unknown
Signature Age
0 days
Defender Exclusions
Paths: C:\GIT, C:\Users\User01\.ccs, C:\Users\User01\.claude, C:\Users\User01\.npm-global, C:\Users\User01\AppData\Local\fnm_multishells, C:\Users\User01\AppData\Local\Temp, C:\Users\User01\AppData\Local\Temp\claude, C:\Users\User01\AppData\Roaming\fnm, C:\Users\User01\AppData\Roaming\npm-cache, C:\Users\User01\node_modules
Processes: C:\Program Files\FreeFileSync\Bin\*, C:\Users\User01\.npm-global\node_modules\*, C:\Users\User01\AppData\Local\fnm_multishells\*\node.exe, C:\Users\User01\AppData\Roaming\fnm\node-versions\*\installation\node.exe, Everything.exe, git-remote-https.exe, git.exe, node.exe, npm.cmd, npx.cmd, ssh.exe
Extensions: None
UAC Configuration
consent prompt user
3
enable lua
✓ Enabled
prompt on secure desktop
✓ Enabled
consent prompt admin
2
Scheduled Task Analysis
9 non-Microsoft tasks, 3 suspicious
| Task | Author | Run As | Reasons |
|---|---|---|---|
| GoogleUpdaterTaskSystem147.0.7703.0{2794FE61-0FE6-4C22-B52B-36E445402496} | NT AUTHORITY\SYSTEM | SYSTEM | Runs as SYSTEM |
| SpaceManagerTask | $(@%SystemRoot%\system32\spaceman.exe,-2) | SYSTEM | Runs as SYSTEM |
| PerformRemediation | $(@%systemroot%\system32\WaasMedicSvcImpl.dll,-102) | SYSTEM | Runs as SYSTEM |
Non-Microsoft Tasks
| Task | Author | State | Run As |
|---|---|---|---|
| Monthly Documentation Audit (REP-012) | DEMO-WS01\Tom | Ready | Tom |
| VivaldiUpdateCheck-03b93b12826abc18 | Vivaldi Technologies AS | Ready | Tom |
| ZoomUpdateTaskUser-S-1-5-21-834384447-3854320417-28516990-1001 | Zoom Communications, Inc. | Ready | Tom |
| GoogleUpdaterTaskSystem147.0.7703.0{2794FE61-0FE6-4C22-B52B-36E445402496} | NT AUTHORITY\SYSTEM | Ready | SYSTEM |
| Backup | $(@%SystemRoot%\system32\AppListBackupLauncher.dll,-600) | Ready | |
| BackupNonMaintenance | $(@%SystemRoot%\system32\AppListBackupLauncher.dll,-600) | Ready | |
| UnifiedConsentSyncTask | $(@%systemRoot%\system32\unifiedconsent.dll,-102) | Ready | |
| SpaceManagerTask | $(@%SystemRoot%\system32\spaceman.exe,-2) | Ready | SYSTEM |
| PerformRemediation | $(@%systemroot%\system32\WaasMedicSvcImpl.dll,-102) | Ready | SYSTEM |
Assessment Results by Technique
| Technique | Name | Tactic | Status | Findings |
|---|---|---|---|---|
T1547 | Boot/Logon Autostart | Persistence | Info | 1 |
T1078 | Valid Accounts | Credential Access | High | 3 |
T1046 | Network Service Discovery | Discovery | High | 2 |
T1562 | Impair Defenses | Defense Evasion | High | 3 |
T1053 | Scheduled Task/Job | Execution | Clean | 0 |
T1059 | Command and Scripting | Execution | Medium | 3 |
T1036 | Masquerading | Defense Evasion | Medium | 2 |
T1003 | OS Credential Dumping | Credential Access | Medium | 1 |
T1071 | Application Layer Protocol | Command and Control | Clean | 0 |
T1027 | Obfuscated Files | Defense Evasion | Clean | 0 |
Remediation Roadmap
Prioritized actions to improve endpoint security posture
Immediate Actions
• Set password on primary user account (1 minute)
Eliminates unauthenticated access to admin session
• Enable Defender Tamper Protection (2 minutes)
Prevents malware from disabling endpoint protection
• Restrict RDP to VPN/Tailscale only (10 minutes)
Eliminates remote brute-force attack surface
Short Term
• Enable PowerShell Script Block Logging (5 minutes)
Full forensic visibility into PowerShell execution
• Review and reduce Defender exclusions (30 minutes)
Closes detection blind spots in excluded directories
• Bind PostgreSQL to localhost only (10 minutes + restart)
Eliminates database exposure to network
Medium Term
• Deploy Credential Guard with UEFI lock (1-2 hours + reboot)
Hardware-backed credential isolation preventing LSASS dumping
• Move Cloudflared to Program Files (15 minutes)
Reduces binary replacement risk for tunnel agent
• Audit and reduce autostart entries (30 minutes)
Reduces persistence noise floor and boot time
Reference Information
MITRE ATT&CK Reference
Enterprise Matrix
Full ATT&CK matrix for enterprise environments
Mitigations
Security controls mapped to ATT&CK techniques
Data Sources
Detection data sources for each technique
Scan Metadata
| Property | Value |
|---|---|
| Hostname | DEMO-WS01 |
| OS | Microsoft Windows 11 Pro |
| OS Version | Microsoft Windows NT 10.0.26100.0 |
| Scan Timestamp | 2026-03-06T10:55:22Z |
| Mode | full |
| Elevated | Yes |
| Script Version | 1.0 |
| Report ID | DEM-MITRE-2026-002 |