#reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f
reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /v AutoRun /t REG_EXPAND_SZ /d "exit"
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2
#https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/ $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage" Set-Variable -Name "__PSLockdownPolicy" -Value "4"
#https://www.digitalshadows.com/blog-and-research/powershell-security-best-practices/ #https://www.cyber.gov.au/acsc/view-all-content/publications/securing-powershell-enterprise Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "OutputDirectory" -Type "STRING" -Value "C:\PowershellLogs" -Force Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Type "DWORD" -Value "1" -Force Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "EnableTranscripting" -Type "DWORD" -Value "1" -Force Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "EnableInvocationHeader" -Type "DWORD" -Value "1" -Force
Get-ChildItem WSMan:\Localhost\listener | Where-Object -Property Keys -eq "Transport=HTTP" | Remove-Item -Recurse Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
Set-Service -Name "WinRM" -StartupType Disabled -Status Stopped
Disable-NetFirewallRule -DisplayName “Windows Remote Management (HTTP-In)”