Security Posture Overview
MITRE ATT&CK endpoint assessment for ENDPOINT-01
Set a password on the Tom account — eliminates the #1 critical finding
Enable Tamper Protection via Windows Security UI (cannot be done via GPO/registry)
Enable PowerShell Script Block Logging — single registry key
Restrict RDP to specific IPs via Windows Firewall
Remove C:\Users\[USER]\AppData\Local\Temp from Defender exclusions
Assessment Scope
This assessment maps local system state to the MITRE ATT&CK Framework. 10 techniques were evaluated using deterministic PowerShell checks with zero-token data collection.
| Technique | Name | Tactic |
|---|---|---|
T1547 | Boot/Logon Autostart | Persistence |
T1078 | Valid Accounts | Credential Access |
T1046 | Network Service Discovery | Discovery |
T1562 | Impair Defenses | Defense Evasion |
T1053 | Scheduled Task/Job | Execution |
T1059 | Command and Scripting | Execution |
T1036 | Masquerading | Defense Evasion |
T1003 | OS Credential Dumping | Credential Access |
T1071 | Application Layer Protocol | Command and Control |
T1027 | Obfuscated Files | Defense Evasion |
Tactic Coverage Radar
Security posture across MITRE ATT&CK tactic dimensions
Security Findings
17 findings across 10 MITRE ATT&CK techniques
No Password Required on Primary Account
The primary user account '[USER]' (administrator, last logon 2026-03-03) does not require a password for login. Combined with RDP listening on all interfaces, this allows unrestricted local and potentially remote access without any authentication challenge.
Evidence & Remediation
Get-LocalUser '[USER]': PasswordRequired=False, PasswordExpires=Never, Enabled=True. Account is member of Administrators group. RDP (3389) bound to 0.0.0.0 and ::.
Set a strong password immediately: net user [USER] <NewStrongPassword> Also enforce minimum complexity: net accounts /minpwlen:14 /maxpwage:90 Critical: With RDP exposed, this is remotely exploitable.
Windows Defender Tamper Protection Disabled
Tamper Protection is disabled, allowing any process (including malware) to modify or disable Windows Defender settings, exclusions, and real-time protection without administrator consent. This is the most critical defense gap — it means all other Defender protections can be silently turned off.
Evidence & Remediation
Get-MpComputerStatus: TamperProtection=False. All other Defender features are enabled (RealTimeProtection=True, BehaviorMonitor=True, IoavProtection=True, NISEnabled=True), but can be disabled by any admin process without Tamper Protection.
Enable Tamper Protection: 1. Open Windows Security → Virus & threat protection → Settings 2. Turn on Tamper Protection Note: This must be done via the UI or Intune — registry/GPO cannot enable it (by design).
Extensive Defender Exclusions — 10 Paths + 12 Processes
Windows Defender has 10 path exclusions and 12 process exclusions configured, primarily for development tools (Node.js, npm, Git, fnm, SSH). While these improve development performance, they create significant blind spots where malware could operate undetected — particularly in C:\GIT, C:\Users\[USER]\AppData\Local\Temp, and all npm/node directories.
Evidence & Remediation
Excluded paths: C:\GIT, C:\Users\[USER]\.ccs, C:\Users\[USER]\.claude, C:\Users\[USER]\.npm-global, fnm_multishells, Temp, claude temp, fnm, npm-cache, node_modules. Excluded processes: [Sync-Tool]\Bin\*, npm-global\node_modules\*, fnm node.exe (2 paths), Everything.exe, git-remote-https.exe, git.exe, node.exe, npm.cmd, npx.cmd, ssh.exe.
Review and reduce exclusions: 1. Remove C:\Users\[USER]\AppData\Local\Temp — high-risk malware staging area 2. Replace broad path exclusions with specific process exclusions where possible 3. Consider using Controlled Folder Access to compensate 4. Audit C:\GIT exclusion — consider per-repo exclusions instead of blanket
PowerShell Script Block Logging Disabled
Neither PowerShell Script Block Logging nor Module Logging is enabled. PowerShell Transcription is also disabled. This means no PowerShell execution is recorded in event logs, creating a complete forensic blind spot for the most commonly abused Windows attack tool.
Evidence & Remediation
ScriptBlockLogging: enabled=false. ModuleLogging: enabled=false. Transcription: enabled=false. LanguageMode: FullLanguage (no Constrained Language Mode).
Enable all three PowerShell logging mechanisms: 1. Script Block Logging (most important): reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f 2. Module Logging: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" /v EnableModuleLogging /t REG_DWORD /d 1 /f 3. Transcription (saves to disk): reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" /v EnableTranscripting /t REG_DWORD /d 1 /f
RDP and PostgreSQL Exposed on All Interfaces
Remote Desktop Protocol (3389) and PostgreSQL (5432) are listening on 0.0.0.0 and :: (all network interfaces). Combined with the passwordless Tom account (ADD-001), RDP exposure is critically dangerous. 31 total TCP listeners were detected across the system.
Evidence & Remediation
High-risk services on all interfaces: - RDP (3389): svchost, bound to 0.0.0.0 + :: - PostgreSQL (5432): postgres, bound to 0.0.0.0 + :: Additional notable listeners: [Remote-Access-Tool] relay (21115-21119), Hyper-V (2179), VMware (902, 912), [VPN-Client], Obsidian (6699), Print Spooler. Firewall profiles: Domain/Private/Public all enabled but inbound/outbound defaults = NotConfigured.
1. Restrict RDP via Windows Firewall to specific IPs: netsh advfirewall firewall add rule name="RDP Restrict" dir=in action=allow protocol=TCP localport=3389 remoteip=<TRUSTED_IP> netsh advfirewall firewall add rule name="RDP Block" dir=in action=block protocol=TCP localport=3389 2. Bind PostgreSQL to localhost: Edit postgresql.conf → listen_addresses = 'localhost' 3. Review if [Remote-Access-Tool] relay (21115-21119) and VMware (902, 912) need external exposure
Minimum Password Length Set to Zero
The local password policy allows zero-length passwords, enabling accounts to be created or maintained without any password. The lockout policy (threshold: 10 attempts, duration: 10 minutes) provides some protection, but empty passwords bypass lockout entirely.
Evidence & Remediation
net accounts: MinimumPasswordLength=0, MaximumPasswordAge=42 days, LockoutThreshold=10, LockoutDuration=10 minutes.
Enforce minimum password length: net accounts /minpwlen:14 Also consider complexity requirements via Local Security Policy: secpol.msc → Account Policies → Password Policy → Password must meet complexity requirements: Enabled
Windows Update Service Stopped
The Windows Update service (wuauserv) is stopped with Manual start type. While Windows Update may start on demand, a stopped update service means security patches may not be automatically applied, leaving known vulnerabilities unpatched.
Evidence & Remediation
Windows Update service: Status=Stopped, StartType=Manual.
Verify Windows Update is functioning: Get-Service wuauserv | Start-Service Set-Service wuauserv -StartupType Automatic Check for pending updates: Install-Module PSWindowsUpdate -Force; Get-WindowsUpdate
Credential Guard Not Active Despite VBS Running
Virtualization Based Security (VBS) is running (status=2) but Credential Guard is not active — security services configured and running both report [0] (none). This means the hardware capability exists but credential isolation is not leveraged, leaving NTLM hashes and Kerberos tickets accessible in LSASS memory.
Evidence & Remediation
Win32_DeviceGuard: VirtualizationBasedSecurityStatus=2 (Running). SecurityServicesRunning=[0] (None). SecurityServicesConfigured=[0] (None). Note: LSA Protection (RunAsPPL) IS enabled (mitigating factor).
Enable Credential Guard via Group Policy: Computer Configuration → Admin Templates → System → Device Guard → Turn On Virtualization Based Security Set 'Credential Guard Configuration' to 'Enabled with UEFI lock' Or via registry: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LsaCfgFlags /t REG_DWORD /d 1 /f Requires reboot.
Suspicious Outbound Connection — [Remote-Access-Tool] to External IP
[Remote-Access-Tool] (remote desktop software) was detected with an active outbound connection to [EXT-RELAY-IP]:21117. While [Remote-Access-Tool] is a legitimate remote access tool, its relay protocol on non-standard ports can be abused for command-and-control communications. The [Remote-Access-Tool] relay server (hbbs/hbbr) is also running locally on ports 21115-21119.
Evidence & Remediation
Suspicious outbound: [Remote-Access-Tool] (PID 7944) → [EXT-RELAY-IP]:21117. Local [Remote-Access-Tool] relay: hbbs on 21115/21116/21118, hbbr on 21117/21119. All bound to :: (all interfaces).
If [Remote-Access-Tool] is intentional: 1. Verify [EXT-RELAY-IP] is a known [Remote-Access-Tool] relay server 2. Restrict relay server to listen on localhost or VPN interface only 3. Document as accepted risk If not intentional: 1. Stop services: Stop-Service [Remote-Access-Tool]* 2. Remove: winget uninstall [Remote-Access-Tool] 3. Block ports 21115-21119 in Windows Firewall
19 Non-Standard Autostart Entries
19 autostart entries were found across registry Run keys (11) and startup folders (7), plus 1 WMI event subscription. While most appear to be legitimate applications ([Chat-App], [Media-App], Teams, Backblaze, Claude, [VoIP-Client], [VPN-Client], [Remote-Access-Tool], [Screenshot-Tool]), the volume significantly expands the persistence attack surface and increases boot time.
Evidence & Remediation
HKCU Run keys (10): [Chat-App], Backblaze, [Media-App], Claude, [Email-Client], [VoIP-Client], Teams, [Task-App], [VPN-Mesh-Client], (default). HKLM Run keys (1): [Chat-App] (SquirrelMachineInstalls). Startup folder (7): [Time-Tracker], DDM2.0, Send to OneNote, [Screenshot-Tool], Dell Display Manager, [Remote-Access-Tool] Tray, [VPN-Client]. WMI subscription: SCM Event Log Filter.
Review and remove unnecessary autostart entries: 1. (default) entry in HKCU Run — likely garbage, remove 2. [Chat-App] appears twice (HKCU + HKLM) — remove one 3. Evaluate if [Time-Tracker], DDM2.0, Send to OneNote need autostart 4. WMI SCM Event Log Filter — verify this is legitimate Use: msconfig → Startup tab, or Task Manager → Startup
Unquoted Service Path — ASUS System Control Service
The ASUS System Control Service has an unquoted binary path containing spaces: 'C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.22\AsSysCtrlService.exe'. While the service is currently Disabled/Stopped, if enabled, an attacker could place a malicious 'C:\Program.exe' or 'C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.22\AsSysCtrlService.exe' to hijack execution.
Evidence & Remediation
AsSysCtrlService: Path='C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.22\AsSysCtrlService.exe' (unquoted, contains spaces). State=Stopped, StartMode=Disabled.
Quote the service path: sc config AsSysCtrlService binPath= "\"C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.22\AsSysCtrlService.exe\"" Or if unused, remove the service entirely: sc delete AsSysCtrlService
Cloudflared Running from User Directory
The Cloudflare Tunnel agent (cloudflared.exe) is running as a service from C:\Users\[USER]\cloudflared.exe instead of the standard Program Files location. While this is a legitimate Cloudflare binary, services running from user-writable directories are higher risk — any user-level compromise could replace the binary.
Evidence & Remediation
Service: Cloudflared, Path=C:\Users\[USER]\cloudflared.exe, State=Running.
Move cloudflared to a protected location: 1. Stop the service 2. Move to C:\Program Files\cloudflared\cloudflared.exe 3. Update service path: sc config cloudflared binPath= "C:\Program Files\cloudflared\cloudflared.exe" 4. Restart service
3 SYSTEM-Privilege Scheduled Tasks
Three scheduled tasks run with SYSTEM-level privileges: Google Updater, SpaceManager (Windows Storage), and WaaSMedic (Windows Update remediation). While all appear legitimate, SYSTEM-running custom tasks are high-value persistence mechanisms.
Evidence & Remediation
SYSTEM tasks: 1. GoogleUpdaterTaskSystem147.0.7703.0 — updater.exe --wake --system 2. SpaceManagerTask — spaceman.exe /Work (Windows built-in) 3. PerformRemediation — WaaSMedic (Windows Update self-heal) 9 total custom tasks. 6 non-Microsoft user-level tasks (Monthly Doc Audit, Vivaldi Update, Zoom Update, Google Updater x2, Backblaze).
Review SYSTEM tasks:
1. Google Updater — Consider if SYSTEM privileges are necessary; could run as user
2. SpaceManagerTask and WaaSMedic — Legitimate Windows tasks, no action needed
Monitor for new SYSTEM tasks: Get-ScheduledTask | Where-Object {$_.Principal.UserId -eq 'SYSTEM' -and $_.Author -notmatch 'Microsoft'}Firewall Default Actions Not Configured
All three Windows Firewall profiles (Domain, Private, Public) are enabled but have DefaultInboundAction and DefaultOutboundAction set to 'NotConfigured'. This defers to the built-in Windows defaults (block inbound, allow outbound), but explicit configuration is a best practice for defense-in-depth.
Evidence & Remediation
Firewall profiles: - Domain: Enabled=1, InboundDefault=NotConfigured, OutboundDefault=NotConfigured - Private: Enabled=1, InboundDefault=NotConfigured, OutboundDefault=NotConfigured - Public: Enabled=1, InboundDefault=NotConfigured, OutboundDefault=NotConfigured
Explicitly set firewall defaults: Set-NetFirewallProfile -Profile Domain,Private,Public -DefaultInboundAction Block -DefaultOutboundAction Allow For enhanced security, consider restricting outbound: Set-NetFirewallProfile -Profile Public -DefaultOutboundAction Block Then add specific outbound allow rules.
LSA Protection (RunAsPPL) Enabled — Strong Credential Defense
LSA Protection is enabled, running LSASS as a Protected Process Light (PPL). This prevents unauthorized processes — including tools like Mimikatz — from reading or injecting into LSASS memory. Combined with disabled WDigest plaintext storage, this is a strong credential defense.
Evidence & Remediation
LSA Protection: RunAsPPL=True. WDigest: UseLogonCredential=0, PlaintextPasswords=False.
No action required. This is properly configured and represents best-practice credential protection.
Windows Defender Fully Operational with Current Signatures
Windows Defender is fully operational: real-time protection, behavior monitoring, IOAV protection, NIS, and antispyware are all enabled. Signature database is current (0 days old). Engine version 1.1.26010.1 is current. The only gaps are Tamper Protection (ADD-002) and cloud protection status (Unknown).
Evidence & Remediation
Defender status: AntivirusEnabled=True, RealTimeProtection=True, BehaviorMonitor=True, IoavProtection=True, NISEnabled=True, AntispywareEnabled=True. SignatureAge=0 days. ProductStatus=4.18.26010.5. CloudProtection=Unknown.
Verify cloud protection: Get-MpComputerStatus | Select CloudEnabled, CloudExtendedTimeout If disabled: Set-MpPreference -MAPSReporting Advanced
No Alternate Data Streams or Hidden Executables Detected
The obfuscation scan found no Alternate Data Streams (ADS) and no hidden executables in system directories. This is a clean result indicating no file-system-level obfuscation techniques are in use.
Evidence & Remediation
ADS count: 0. Hidden executables: 0.
No action required. Clean result.
Risk Assessment
Findings mapped by likelihood and impact (columns: likelihood, rows: impact)
Boot/Logon Autostart Execution
19 autostart entries detected outside standard system paths
Registry Run Keys
| Name | Command | Location |
|---|---|---|
| [Chat-App] | "C:\Users\[USER]\AppData\Local\[Chat-App]\Update.exe" --processStart [Chat-App].exe | HKCU |
| Backblaze | C:\PROGRA~2\BACKBL~1\bzbui.exe -quiet | HKCU |
| [Media-App] | C:\Users\[USER]\AppData\Roaming\[Media-App]\[Media-App].exe --autostart --minimized | HKCU |
| Claude | "C:\Users\[USER]\AppData\Local\[AI-Assistant]\[ai-assistant].exe" --startup | HKCU |
| (default) | | HKCU |
| [Email-Client] | C:\Users\[USER]\AppData\Local\Programs\[Email-Client]\[Email-Client].exe | HKCU |
| [VoIP-Client] | "C:\Users\[USER]\AppData\Local\[VoIP-Client]\[VoIP-Client].exe" /minimized | HKCU |
| Teams | "C:\Users\[USER]\AppData\Local\Microsoft\WindowsApps\MSTeams_8wekyb3d8bbwe\ms-teams.exe" msteams:system-initiated | HKCU |
| com.[Task-App] | C:\Users\[USER]\AppData\Local\Programs\[Task-App]\[Task-App].exe | HKCU |
| [VPN-Mesh-Client] | "C:\Users\[USER]\.local\bin\[vpn-mesh-client].exe" | HKCU |
| [Chat-App] | C:\ProgramData\SquirrelMachineInstalls\[Chat-App].exe --checkInstall | HKLM |
Startup Folder Items
| Name | Type | Location |
|---|---|---|
| [Time-Tracker].lnk | .lnk | C:\Users\[USER]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup |
| DDM2.0.lnk | .lnk | C:\Users\[USER]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup |
| Send to OneNote.lnk | .lnk | C:\Users\[USER]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup |
| [Screenshot-Tool].lnk | .lnk | C:\Users\[USER]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup |
| Dell Display Manager.lnk | .lnk | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp |
| [Remote-Access-Tool] Tray.lnk | .lnk | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp |
| [VPN-Client].lnk | .lnk | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp |
Local User Accounts
2 enabled accounts, 3 administrators
| Username | Enabled | Last Logon | Password Expires |
|---|---|---|---|
| Administrator | No | Never | Never |
| DefaultAccount | No | Never | Never |
| Guest | No | Never | Never |
| [USER2] | Yes | 2026-02-24T06:09:13 | 2026-04-06T05:06:25 |
| [USER] | Yes | 2026-03-03T18:37:59 | Never |
| WDAGUtilityAccount | No | Never | 2025-02-25T08:16:40 |
Account Anomalies
| User | Issue | Severity |
|---|---|---|
| [USER] | Password never expires | medium |
| [USER] | No password required | high |
Administrators Group
| Name | Type | Source |
|---|---|---|
| ENDPOINT-01\Administrator | User | Local |
| ENDPOINT-01\[USER2] | User | Local |
| ENDPOINT-01\[USER] | User | Local |
Password Policy
max age
42
min length
0
lockout threshold
10
lockout duration
10
Network Service Discovery
31 non-loopback listeners, 4 high-risk services exposed
PostgreSQL (port 5432) — postgres
RDP (port 3389) — svchost
PostgreSQL (port 5432) — postgres
RDP (port 3389) — svchost
Listening Ports (non-system)
| Port | Address | Process | PID |
|---|---|---|---|
| 60811 | :: | Antigravity | 12800 |
| 49681 | :: | services | 1232 |
| 49670 | :: | spoolsv | 5764 |
| 49669 | :: | svchost | 4556 |
| 49668 | :: | svchost | 3668 |
| 49667 | :: | svchost | 3516 |
| 49665 | :: | wininit | 1152 |
| [TS-PORT] | [[VPN-Client]-V6] | [VPN-Client]d | 9348 |
| 21119 | :: | hbbr | 9060 |
| 21118 | :: | hbbs | 9024 |
| 21117 | :: | hbbr | 9060 |
| 21116 | :: | hbbs | 9024 |
| 21115 | :: | hbbs | 9024 |
| 5432 | :: | postgres | 8616 |
| 5357 | :: | System | 4 |
| 3389 | :: | svchost | 2000 |
| 2179 | :: | vmms | 3336 |
| [TS-PORT2] | [[VPN-Client]-V4] | [VPN-Client]d | 9348 |
| 49681 | 0.0.0.0 | services | 1232 |
| 49670 | 0.0.0.0 | spoolsv | 5764 |
| 49669 | 0.0.0.0 | svchost | 4556 |
| 49668 | 0.0.0.0 | svchost | 3668 |
| 49667 | 0.0.0.0 | svchost | 3516 |
| 49665 | 0.0.0.0 | wininit | 1152 |
| 9696 | 127.0.0.2 | System | 4 |
| 6699 | 0.0.0.0 | Obsidian | 16268 |
| 5432 | 0.0.0.0 | postgres | 8616 |
| 3389 | 0.0.0.0 | svchost | 2000 |
| 2179 | 0.0.0.0 | vmms | 3336 |
| 912 | 0.0.0.0 | vmware-authd | 6744 |
... and 1 more
Firewall Profiles
| Profile | Enabled | Inbound | Outbound |
|---|---|---|---|
| Domain | ✓ Yes | NotConfigured | NotConfigured |
| Private | ✓ Yes | NotConfigured | NotConfigured |
| Public | ✓ Yes | NotConfigured | NotConfigured |
Impair Defenses Assessment
2 defense anomalies detected
Severity: high
Severity: medium
Windows Defender Status
Real-Time Protection
✓ Enabled
Antivirus
✓ Enabled
Tamper Protection
✗ Disabled
Behavior Monitor
✓ Enabled
Cloud Protection
Unknown
Signature Age
0 days
Defender Exclusions
Paths: C:\GIT, C:\Users\[USER]\.ccs, C:\Users\[USER]\.claude, C:\Users\[USER]\.npm-global, C:\Users\[USER]\AppData\Local\fnm_multishells, C:\Users\[USER]\AppData\Local\Temp, C:\Users\[USER]\AppData\Local\Temp\claude, C:\Users\[USER]\AppData\Roaming\fnm, C:\Users\[USER]\AppData\Roaming\npm-cache, C:\Users\[USER]\node_modules
Processes: C:\Program Files\[Sync-Tool]\Bin\*, C:\Users\[USER]\.npm-global\node_modules\*, C:\Users\[USER]\AppData\Local\fnm_multishells\*\node.exe, C:\Users\[USER]\AppData\Roaming\fnm\node-versions\*\installation\node.exe, Everything.exe, git-remote-https.exe, git.exe, node.exe, npm.cmd, npx.cmd, ssh.exe
Extensions: None
UAC Configuration
consent prompt user
3
enable lua
✓ Enabled
prompt on secure desktop
✓ Enabled
consent prompt admin
2
Scheduled Task Analysis
9 non-Microsoft tasks, 3 suspicious
| Task | Author | Run As | Reasons |
|---|---|---|---|
| GoogleUpdaterTaskSystem147.0.7703.0{2794FE61-0FE6-4C22-B52B-36E445402496} | NT AUTHORITY\SYSTEM | SYSTEM | Runs as SYSTEM |
| SpaceManagerTask | $(@%SystemRoot%\system32\spaceman.exe,-2) | SYSTEM | Runs as SYSTEM |
| PerformRemediation | $(@%systemroot%\system32\WaasMedicSvcImpl.dll,-102) | SYSTEM | Runs as SYSTEM |
Non-Microsoft Tasks
| Task | Author | State | Run As |
|---|---|---|---|
| Monthly Documentation Audit (REP-012) | ENDPOINT-01\[USER] | Ready | [USER] |
| VivaldiUpdateCheck-03b93b12826abc18 | Vivaldi Technologies AS | Ready | [USER] |
| ZoomUpdateTaskUser-S-1-5-21-[REDACTED]-1001 | Zoom Communications, Inc. | Ready | [USER] |
| GoogleUpdaterTaskSystem147.0.7703.0{2794FE61-0FE6-4C22-B52B-36E445402496} | NT AUTHORITY\SYSTEM | Ready | SYSTEM |
| Backup | $(@%SystemRoot%\system32\AppListBackupLauncher.dll,-600) | Ready | |
| BackupNonMaintenance | $(@%SystemRoot%\system32\AppListBackupLauncher.dll,-600) | Ready | |
| UnifiedConsentSyncTask | $(@%systemRoot%\system32\unifiedconsent.dll,-102) | Ready | |
| SpaceManagerTask | $(@%SystemRoot%\system32\spaceman.exe,-2) | Ready | SYSTEM |
| PerformRemediation | $(@%systemroot%\system32\WaasMedicSvcImpl.dll,-102) | Ready | SYSTEM |
Assessment Results by Technique
| Technique | Name | Tactic | Status | Findings |
|---|---|---|---|---|
T1547 | Boot/Logon Autostart | Persistence | Medium | 1 |
T1078 | Valid Accounts | Credential Access | Critical | 2 |
T1046 | Network Service Discovery | Discovery | High | 1 |
T1562 | Impair Defenses | Defense Evasion | High | 5 |
T1053 | Scheduled Task/Job | Execution | Low | 1 |
T1059 | Command and Scripting | Execution | High | 1 |
T1036 | Masquerading | Defense Evasion | Medium | 2 |
T1003 | OS Credential Dumping | Credential Access | Medium | 2 |
T1071 | Application Layer Protocol | Command and Control | Medium | 1 |
T1027 | Obfuscated Files | Defense Evasion | Info | 1 |
Remediation Roadmap
Prioritized actions to improve endpoint security posture
Immediate Actions
• Set strong password on Tom account (1 minute)
Eliminates unrestricted local+remote access (ADD-001)
• Enable minimum password length (14 chars) (1 minute)
Prevents weak/empty passwords (ADD-006)
• Enable Tamper Protection (2 minutes)
Prevents malware from disabling Defender (ADD-002)
Short Term
• Enable PowerShell Script Block + Module Logging (5 minutes)
Creates forensic audit trail for all PowerShell execution (ADD-004)
• Restrict RDP/PostgreSQL firewall rules (15 minutes)
Reduces network attack surface from 31 to essential listeners (ADD-005)
• Audit and reduce Defender exclusions (20 minutes)
Closes 10 malware blind spots (ADD-003)
• Move cloudflared.exe to Program Files (10 minutes)
Prevents user-level binary replacement (ADD-012)
Medium Term
• Enable Credential Guard (30 minutes + reboot)
Hardware-backed credential isolation via VBS (ADD-008)
• Review and reduce autostart entries (20 minutes)
Reduces 19 persistence points to essential minimum (ADD-010)
• Evaluate [Remote-Access-Tool] necessity and restrict relay (15 minutes)
Eliminates suspicious outbound + 5 listening ports (ADD-009)
• Explicitly configure firewall defaults (5 minutes)
Defense-in-depth for all profiles (ADD-014)
Reference Information
MITRE ATT&CK Reference
Enterprise Matrix
Full ATT&CK matrix for enterprise environments
Mitigations
Security controls mapped to ATT&CK techniques
Data Sources
Detection data sources for each technique
Scan Metadata
| Property | Value |
|---|---|
| Hostname | ENDPOINT-01 |
| OS | Microsoft Windows 11 Pro |
| OS Version | Microsoft Windows NT 10.0.26100.0 |
| Scan Timestamp | 2026-03-05T12:33:58Z |
| Mode | full |
| Elevated | Yes |
| Script Version | 1.0 |
| Report ID | ADD-MITRE-2026-002 |