 Hello everyone, my name is John Hammond welcome back to their YouTube video and in this video I want to tell you about a conversation I had with the co-worker last week where we were discussing some like Defensive techniques or protections you can put in place to potentially stop hackers and malware and all the bad stuff Now I don't mean for any of this stuff to be like the silver bullet or some magic wand It'll just make all the bad stuff go away. These are some poor man's practices or band-aid solutions That aren't foolproof by any means like they can be bypassed But there's small stuff that might get in the way of a threat actor and just be annoying or a nuisance I had told her about these exercises that I had participated in where there was a red team or opposing force like acting against us And we had to harden things and tighten things up so they wouldn't be able to get in So I would disable the command prompt or enable PowerShell Constraint language mode and that small stuff would again Get in the way of the attacker. They might have to work around it Or it might just I don't know if they're a low tier threat actor or a script kitty They just like throw their hands up and say hey, this isn't working. What the heck and give up Maybe that's not always the case I don't again mean to showcase this as anything crazy or incredible But I do want to discuss it because when I had mentioned this to her She had the reaction like what disabling command prompt. That's a thing you can do that So I didn't know maybe some people aren't aware of this thing So I wanted to showcase it and bring it to you because I kind of played with it a little bit So let me open up a web browser and I'll simply search for what I want to do, right? What I tell people like hey if you want to learn you can Google and I'm gonna type in disable command prompt to have a few articles returned here I see a help desk geek. I see a how-to geek. How to geek has a good one They want to disable the command prompt and the run program in Windows So you could do this with group policy, right? That's some policy you could set and enforce out I won't showcase that because group policy can be big and annoying and overwhelming very very easily So again, I'll showcase kind of my poor man's methodology of using the Windows registry, right? That big database or dictionary of Windows settings and customizations and configuration that you can kind of tweak and explore So they're showcasing this registry key here hkey current user software policies Microsoft Windows system And they're setting a value here disable cmd with a type of d-word or a 32-bit value And they're gonna end up setting it to a value of one This can be set to a value of zero Which means you basically don't have that registry value set at all the command prompt is still enabled It's not disabled. It can be set to a value of one where the command prompt is disabled And you're also aren't allowing the execution of scripts like a dot bat script or dot cmd or a dot com script I've also seen the value of two and the value of two doesn't include the scripts It'll just block access to the command prompt now when I say access to the command prompt I mean like opening up cmd.exe or typing in the command prompt to open this big spooky black box that you have on your system or you could be typing in commands like okay Who am I or dir to get a file system output or copy files or move files or delete files You have shell access to the machine This is super duper handy for the bad guys that are trying to do malicious stuff You might also use this as a system administrator trying to do your job So I note this okay You can toggle this on when you're trying to board up the windows and defend yourself and you can toggle it off So you still have access to the command prompt if you're trying to do any other power user or sysadmin thing because this can kind of be circumvented by opening up commands within PowerShell or Visual basic script creating a W script object etc So again, this isn't a foolproof bulletproof solution. It's just a band-aid thing that you can do I don't mean to encourage or enforce this as an actual security measure It's just a thing that might trip someone up if they haven't encountered it before so let me walk through this right I'm gonna close out of this command prompt, and I'm going to grab this registry key Location, I'm gonna fire up PowerShell or my windows terminal in this case because that'll start it for me Okay So I want to try and set this registry value with the reg command or that old-school cmd.exe command and I'll use that reg add syntax And if you don't know the parameters the arguments to reg add you can check out the help with the forward slash Question mark and you can see the syntax that this requires is okay reg add of course And then the key name that we want to work with the value name that we saw which was that disable cmd the type that we need so regd word as a syntax here for that 32-bit value and Then slash d for the data that we actually want to set So I will go ahead and reg add and I'll paste in that kind of location here We'll specify slash v the value of disable cmd The type will be regd word for that 32-bit value and I'm going to specify slash d for the data Now as I mentioned I'm going to set this to the value to to showcase that not blocking scripts or dot bad or dot cmd Or dot com now when you run this if you're running in a low privilege or an Unescalated or unelevated command prompt or PowerShell You'll get access denied because you need to be an administrator so you can actually modify the registry so I'm going to copy this whole syntax here and I'll close out this window and I'll open up PowerShell or Windows terminal one more time with ControlShift enter so that way I can actually Open it as an administrator now when I run this command if I whack enter here It says the operation completed successfully great So if I were to try and open up that cmd.exe or command prompt now I'll get the notification. Hey the command prompt has been disabled by your administrator awesome super cool That's what we wanted now When I set this with that registry value of two, it's not full proof So let's say I was still in PowerShell, right? So I could type in cmd and I could try and interact with cmd Interactively like spawn the shell and that will give me the notification the era that's been disabled by your administrator gimmick here When you have the registry value set to the value two you could still do things like cmd slash c To try and run a command in line or pass as an argument to cmd Let me type in who am I and you'll still get that value out. You'll still actually run that command and Maybe I could okay. Just echo a Batch or a cmd variable so you trust me and believe me that I am in fact running Within cmd not just PowerShell for some reason interpreting that I'll get a value of zero Okay, so that those percent symbols there indicated like that's a real cmd.exe or batch value That's good to know because we are kind of circumventing that hey the command prompt has been disabled by your administrator Now I noticed this and I thought like that's weird. It's not really disabling the command prompt So I thought like all right. Let me do a little bit more googling I'm gonna do that cmd help and I noticed it here in the Microsoft documentation So hopping over to this web page You can see some other information or other things that cmd can do when I just ran that Slash C argument or that parameter it'll carry out the command specified by the string or whatever value we pass Following the slash C and then it'll exit or stop if I were to use that slash K It would carry out the command and then try to continue and open cmd naturally I'll show you that if I were to use cmd slash K who am I? I'll get John as the output of the who am I command and then it'll try and continue to open cmd.exe Interactively and I'll get that command prompt has been disabled by your administrator error interesting Another interesting thing that I found while I was looking through this is that there's this thing called cmd auto run commands Now you might have noticed it in that slash D argument. It'll disable the execution of auto run commands So let me show you these auto run commands because if you scroll down the documentation It tells you a little bit about it if you don't specify that slash D in the string cmd.exe will look for the following registry subkeys. There's a local machine setting and a Current user setting where there's an auto run value set to expand SZ or like a little string. So you could set a command to run as you start up the command prompt and it's set with this auto run Value name and this reg expand SZ type. So let me show you that this is kind of interesting and peculiar I'm going to get back into my power shell here and I'll run that reg add command with pasting in this command processor Registry location and I pasted that twice. Sorry The auto run is the actual value here and that reg expand SZ is the type So let me break up that command I'll use that slash T to specify the type and I'll use that slash V to specify auto run being the value And I'll specify the data here in this case. I'm going to set this to something interesting. You could set it to like date Okay, cool. What's so ever? reg add current Microsoft. Oh That has a space in it So I need to specify a string around the command processor value that space is going to trip up the processing of that command So if I specify this to date now, I would be able to run. Okay, cmd slash C. Who am I and It actually tells me the date. It's executing the date command before it even ran. Who am I? Let me exit out of that Now if I were to change this to simply exit that's going to force that command prompt to never actually run Right so far to try and run cmd. I don't even get the banner anymore or that message. Hey, the command prompt has been disabled Now it just tries to open up cmd.exe and then immediately closes So far to try and open cmd interactively the window doesn't even show up or at least it does and then it closes itself So quickly you don't even notice it that way I can't run that slash C. Who am I because exit is going to run before the command and now I've completely Nerfed cmd.exe However, we did note that that slash D argument that we read in this Documentation here that will ignore the execution of these auto-run commands or the value that we set in this registry key so I could use cmd slash C slash D and Who am I is still erroring so? Oh, I should actually specify that beforehand That's kind of the gimmick. Who am I? There we go because slash D needs to know to do that And not process those auto-run commands before trying to execute something. There we go gimmick here is that sure you can still run commands Even with this slash C if you don't include this auto-run value If you do include this auto-run value, you'll need to specify slash D for it to actually be able to execute the command within command prompt This is all in the scenario that you have set that disable cmd value to two You don't even have to worry about this if you were to set it to one and that's kind of neat, right? so let me go back to that command where I set the Current user software policies Microsoft Windows system disable cmd all the way down to one That already exists so we can overwrite it if you don't want to see that notification You can specify that slash F and that will force that registry tweak There we go now the operation is completed successfully if I were to try and invoke cmd I'll get the command prompt has been disabled by your administrator again. I'm invoking cmd Interactively so we know that that wasn't going to be an issue, but if I would she or I and use that slash C who am I? We still get that banner the command prompt has been disabled by administrator So cool. We've stopped and blocked the access to cmd slash C which you might actually see Sometimes often and like malware stagers or some droppers will try and invoke commands through command prompt So that could theoretically actually stop that But obviously I'm still running commands within PowerShell that hasn't been disabled or nerfed We could do it in visual basic script if we really wanted to but it is neat that this has just okay Stop the execution of batch scripts or other scripts and let me prove that to you Let me do a notepad like a script dot bat. How about that? Yep, let's go ahead and create the file I'm just gonna do a echo off and then try and run echo. Hello. I am running from a Batch script save that good. I realized that wasn't extremely easy to see Okay, trying to dot slash script dot bat to execute it will still give us that error Hey, the command prompt has been disabled by your administrator So the takeaway if you use this registry tweak make sure you set that to one and not two If you see some of those articles or blog posts that recommended. Hey try and use that value to Note that it can still be circumvented with cmd slash C Which I think is actually kind of common in some malware stagers or droppers So having that actually set is good Now Again, I keep mentioning this and I keep adding this disclaimer because this is not a real security feature It's not enforcing any other defense because it can be circumvented. Let me show you visual basic script visual basic script Run command simply Google that and there is SS64 that has a fine example You can run an external command if you have a shell object and that's invoked by creating a w script dot shell object They have an example here where they create a shell object Creating it through w script and you can see that's again w script dot shell And then you can run something like notepad dot exe or who am I or anything else and that will just still execute You're still running those commands. You just aren't invoking cmd dot exe so that's a thing that will happen, right? Let me Notepad script dot VBS We'll create that paste that command in there And I'm going to close out all of my notepad values all of my notepad Commands or programs that I'm running right now So there's no notepad whatsoever and if I were to try and run that script dot VBS, it opens up notepad Because we've ran that command I could change this to like calc dot exe to prove that we're still running the command and we don't need a Argument to pass to that. So let me do that one more time and it probably doesn't know where calc dot exe is I think got renamed like in windows tend to like calculator or something Or is that still a thing? It is still a thing. Maybe it's not in Winder, maybe it's in C system 32 or a different location This is where I Kind of go off the rails See windows system 32 Calc There we go. Okay. Yeah, it's in system 32 not just win Okay, sorry kind of went off of the tangent there, but we still cannot run cmd slash c Like execute malware or anything when we have that Registry value disable cmd set to a value of one So that might be handy and obviously you can toggle that off if you're running within power shell or another means to actually execute commands But two when we have that Set will allow you to run things in line with slash c Oh, and we still have that auto run enable so we could remove that if we wanted to Let me go do that real quick command processor. We can delete because that is set to exit currently Remove those arguments. Yep. We'll delete it Now trying to run who am I it will execute Because we have this state disable cmd set to two Setting it to one We'll not allow us to pass things in with slash c or slash k So that is what we want if we actually want to board up the windows and nerf command prompt Again, I set all this with the disclaimer not a real security Measure or enforcement. It's just some trick that you can do to maybe temporarily board up the windows Although it can be kind of worked around in other ways So this has been longer of a video than it needed to be but thanks so much for tuning in everybody I really hope you enjoyed this. Maybe it's kind of cool to see some maybe quote on quote defensive Protective measures, but I hope it was fun and I appreciate you hanging out with me. So thanks so much everybody I'll see you in the next video. Take care