PowerShell V5 & V7
Windows
Hardening
Militärische Härtung für zivile Infrastruktur. Anti-Telemetrie. Anti-Forensik. Zero-Trust Networking. Wir entfernen den Verrat aus dem Betriebssystem.
Bei bedarf kann die DNS unter "Netzwerkverbindungen Anzeigen" geändert werden. Setze dort für maximale Sicherheit
Mullvad 194.242.2.2 und Fallback 9.9.9.9 Quad9
Blockiert Malware, Pishing, Tracking etc.
HEURISTIK-WARNUNG:
Aufgrund der tiefgreifenden System-Optimierungen wird dieser Download von Browsern oft fälschlicherweise als "schädlich" markiert.
Maximale Transparenz: Der gesamte Prozess ist auf GitHub auditiert und einsehbar.
Operational Risk Advisory
Dieses Protokoll greift tief in die Windows-Kernel-Logik ein. Es entfernt Komfortfunktionen (OneDrive, Xbox, Cloud-Sync) zugunsten von Sicherheit. Ausführung nur in PowerShell (Administrator).
Wichtige Information
Um die maximale Sicherheit im System zu erreichen, sollte die Festplatte mittels Veracrypt verschlüsselt werden. Nutze dafür AES mit Twofish oder für paranoiden Schutz AES+Twofish+Serpent (min. 20 Zeichen) und PIM über 500.
00
Bloatware Exorcism
Powershell 5
Phase 0: Die Säuberung
Ein sauberes System ist ein sicheres System. Wir entfernen vorinstallierte Adware, Spiele und unnötige UWP-Apps. Dies reduziert die Angriffsfläche massiv.
POWERSHELL (ADMIN)
# Liste der Bloatware (Erweitert für Consumer-Editionen) $Bloatware = @( "Microsoft.XboxApp", "Microsoft.XboxGamingOverlay", "Microsoft.XboxIdentityProvider", "Microsoft.XboxSpeechToTextOverlay", "Microsoft.MicrosoftSolitaireCollection", "Microsoft.ZuneMusic", "Microsoft.ZuneVideo", "Microsoft.BingNews", "Microsoft.BingWeather", "Microsoft.GetHelp", "Microsoft.Getstarted", "Microsoft.Messaging", "Microsoft.Microsoft3DViewer", "Microsoft.People", "Microsoft.SkypeApp", "Microsoft.YourPhone", "Microsoft.WindowsFeedbackHub", "Microsoft.Windows.Photos", "Microsoft.WindowsCamera", "Microsoft.Wallet", "Microsoft.OneConnect", "Microsoft.MixedReality.Portal", "Microsoft.549981C3F5F10" # Cortana ) # 1. Entfernung für den aktuellen User foreach ($App in $Bloatware) { Get-AppxPackage -AllUsers *$App* | Remove-AppxPackage -ErrorAction SilentlyContinue Write-Host "[-] $App (User) entfernt." } # 2. Entfernung aus dem System-Image (Verhindert Wiederkehr bei neuen Usern) foreach ($App in $Bloatware) { Get-AppxProvisionedPackage -Online | Where-Object { $_.DisplayName -like "*$App*" } | Remove-AppxProvisionedPackage -Online -ErrorAction SilentlyContinue Write-Host "[-] $App (System) terminiert." } Write-Host "[+++] EXORCISM COMPLETE." -ForegroundColor Green
01
Telemetry Deep Kill
Powershell 5
Phase 1: Das Schweigen (v2.0)
Standard-Methoden (Hosts-Datei) sind obsolet, da Microsoft Hardcoded-IPs nutzt. Dieses Skript führt einen Service Hard Kill durch, löscht die Selbstheilungs-Tasks (Scheduled Tasks) und isoliert Telemetrie-Binaries via Firewall-Blockade auf Layer 7.
POWERSHELL (ADMIN)
# 1. SERVICE HARD KILL & LOCKDOWN $Services = @("DiagTrack", "dmwappushservice", "WerSvc", "OneSyncSvc", "wercplsupport", "PcaSvc") foreach ($S in $Services) { Stop-Service $S -Force -ErrorAction SilentlyContinue Set-Service $S -StartupType Disabled -ErrorAction SilentlyContinue } # 2. SCHEDULED TASK PURGE (IMMUNE SYSTEM KILL) $TaskPaths = @("\Microsoft\Windows\Application Experience", "\Microsoft\Windows\Customer Experience Improvement Program", "\Microsoft\Windows\Feedback", "\Microsoft\Windows\Diagnosis") foreach ($Path in $TaskPaths) { Get-ScheduledTask -TaskPath $Path -ErrorAction SilentlyContinue | Disable-ScheduledTask -ErrorAction SilentlyContinue } # 3. REGISTRY ENFORCEMENT $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" if (!(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null } Set-ItemProperty -Path $RegPath -Name "AllowTelemetry" -Value 0 -Force $SearchPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" if (!(Test-Path $SearchPath)) { New-Item -Path $SearchPath -Force | Out-Null } Set-ItemProperty -Path $SearchPath -Name "AllowCortana" -Value 0 -Force Set-ItemProperty -Path $SearchPath -Name "DisableWebSearch" -Value 1 -Force # 4. FIREWALL BINARY BLOCK (REAL KILL) $Binaries = @("$env:windir\System32\CompatTelRunner.exe", "$env:windir\System32\DeviceCensus.exe") foreach ($Bin in $Binaries) { New-NetFirewallRule -DisplayName "BLOCK_TELEMETRY" -Direction Outbound -Program $Bin -Action Block -ErrorAction SilentlyContinue | Out-Null }
Visual Engine Shutdown
Powershell 5
Phase 1.5: APEX V5 - Total Desktop Control
Status: V5 Protocol. Windows nutzt Spotlight nicht nur für Bilder, sondern als Einfallstor für die "Web Experience Engine" (Widgets, Edge-Sidebar, Bing-Suche). Dieses Skript geht tiefer als normale Tweaks: 1. Es tötet die Widget-Engine und Edge-Integrationen. 2. Es entfernt injizierte Desktop-Icons (CLSID) physisch aus dem Explorer-Namespace. 3. Es erzwingt einen Wallpaper-Reset auf API-Ebene (C# Injection), um Sperren zu umgehen.
POWERSHELL (ADMIN) - APEX V5 ENGINE KILL
# 1. INITIALISIERUNG $ErrorActionPreference = "Stop" $LogPrefix = "[APEX-V5]" function Write-Log ($Message, $Color="Cyan") { Write-Host "$LogPrefix $Message" -ForegroundColor $Color } function Set-RegistryValue { param($Path, $Name, $Value, $Type="DWord") try { if (!(Test-Path $Path)) { New-Item -Path $Path -Force | Out-Null } Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type $Type -Force | Out-Null Write-Log " >> REG SET: $Name = $Value" "Green" } catch { Write-Log " >> REG ERROR: $($_.Exception.Message)" "Red" } } # Admin Check (Critical for V5) $CurrentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) if (-not $CurrentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { Write-Log "FATAL: DIESES SKRIPT BENÖTIGT ADMIN-RECHTE FÜR POLICY-UPDATES." "Red" Write-Log "Bitte Rechtsklick -> 'Mit PowerShell als Administrator ausführen'." "Red" exit } Clear-Host Write-Log "INITIALISIERE ENGINE-SHUTDOWN (V5)..." "Magenta" # --------------------------------------------------------- # 2. EDGE & SEARCH ENGINE KILL (DAS "RECHTE FENSTER") # --------------------------------------------------------- Write-Log "DEAKTIVIERE EDGE SIDEBAR & BING INTEGRATION..." "Yellow" # Edge Policies (Verhindert das Aufpoppen der Sidebar/Suche) $RegEdge = "HKLM:\SOFTWARE\Policies\Microsoft\Edge" Set-RegistryValue -Path $RegEdge -Name "HubsSidebarEnabled" -Value 0 Set-RegistryValue -Path $RegEdge -Name "StandaloneHubsSidebarEnabled" -Value 0 Set-RegistryValue -Path $RegEdge -Name "DefaultSearchProviderContextMenuAccessAllowed" -Value 0 # Windows Search Policies (Verhindert Web-Suche im System) $RegSearch = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" Set-RegistryValue -Path $RegSearch -Name "AllowSearchToUseLocation" -Value 0 Set-RegistryValue -Path $RegSearch -Name "DisableWebSearch" -Value 1 Set-RegistryValue -Path $RegSearch -Name "ConnectedSearchUseWeb" -Value 0 # --------------------------------------------------------- # 3. WIDGETS & EXPERIENCE PACK (DIE ENGINE) # --------------------------------------------------------- Write-Log "DEAKTIVIERE WIDGETS ENGINE (WEB EXPERIENCE)..." "Yellow" $RegDsh = "HKLM:\SOFTWARE\Policies\Microsoft\Dsh" Set-RegistryValue -Path $RegDsh -Name "AllowNewsAndInterests" -Value 0 # Killt das Widget-Board # --------------------------------------------------------- # 4. CLSID AMPUTATION (DAS DESKTOP ICON) # --------------------------------------------------------- Write-Log "SUCHE NACH INJIZIERTEN DESKTOP-OBJEKTEN (CLSID)..." "Yellow" $SpotlightGUID = "{2cc5ca98-6485-489a-920e-b3e88a6ccce3}" $DesktopNamespacePath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\$SpotlightGUID" if (Test-Path $DesktopNamespacePath) { try { Remove-Item -Path $DesktopNamespacePath -Force -Recurse Write-Log " [!!!] CLSID ENTFERNT: Icon physisch gelöscht." "Green" } catch { Write-Log "FEHLER BEIM ENTFERNEN DER CLSID: $($_.Exception.Message)" "Red" } } # --------------------------------------------------------- # 5. REGISTRY KILL SWITCHES (SPOTLIGHT) # --------------------------------------------------------- Write-Log "VERRIEGLE CONTENT DELIVERY MANAGER..." "Yellow" $RegCDM = "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" Set-RegistryValue -Path $RegCDM -Name "RotatingLockScreenEnabled" -Value 0 Set-RegistryValue -Path $RegCDM -Name "RotatingLockScreenOverlayEnabled" -Value 0 Set-RegistryValue -Path $RegCDM -Name "RotatingDesktopEnabled" -Value 0 Set-RegistryValue -Path $RegCDM -Name "ContentDeliveryAllowed" -Value 0 Set-RegistryValue -Path $RegCDM -Name "SilentInstalledAppsEnabled" -Value 0 # Cloud Content Policies $RegCloud = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent" Set-RegistryValue -Path $RegCloud -Name "DisableWindowsSpotlightFeatures" -Value 1 Set-RegistryValue -Path $RegCloud -Name "DisableWindowsConsumerFeatures" -Value 1 # --------------------------------------------------------- # 6. WALLPAPER HARD RESET (API LEVEL) # --------------------------------------------------------- Write-Log "ERZWINGE WALLPAPER-RESET..." "Red" $WinWall = "$env:SystemRoot\Web\Wallpaper\Windows\img0.jpg" if (!(Test-Path $WinWall)) { $WinWall = Get-ChildItem -Path "$env:SystemRoot\Web\Wallpaper" -Recurse -Filter "*.jpg" | Select-Object -First 1 -ExpandProperty FullName } if ($WinWall) { # C# API Injection $Code = @' [DllImport("user32.dll", EntryPoint = "SystemParametersInfo")] public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); '@ try { $SPI = Add-Type -MemberDefinition $Code -Name "Win32SPI_V5" -Namespace Win32Functions -PassThru $SPI::SystemParametersInfo(20, 0, $WinWall, 3) | Out-Null Write-Log " >> WALLPAPER ERZWUNGEN: $WinWall" "Green" } catch { Set-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name "Wallpaper" -Value $WinWall -Force } } # --------------------------------------------------------- # 7. PROCESS TERMINATION & RESTART # --------------------------------------------------------- Write-Log "KILL PROCESSES (EDGE, WIDGETS, SEARCH)..." "Red" Stop-Process -Name "msedge" -Force -ErrorAction SilentlyContinue Stop-Process -Name "Widgets" -Force -ErrorAction SilentlyContinue Stop-Process -Name "SearchHost" -Force -ErrorAction SilentlyContinue Write-Log "STARTE EXPLORER NEU..." "Cyan" Stop-Process -Name "explorer" -Force Start-Sleep -Seconds 2 if (!(Get-Process -Name "explorer" -ErrorAction SilentlyContinue)) { Start-Process "explorer.exe" } Write-Log "SYSTEM BEREINIGT. DIE ENGINE IST DEAKTIVIERT." "Green"
02
Perimeter Lockdown
Powershell 5
Phase 2: Protocol Sterilization & Default Deny
Wir bauen eine digitale Festung. Zuerst töten wir geschwätzige Legacy-Protokolle (LLMNR, NetBIOS), die Identitätsdaten im LAN leaken. Danach wird JEDE ausgehende Verbindung blockiert. Erlaubt werden nur lebensnotwendige Systemfunktionen (DNS, DHCP, NTP, HTTPS). Alles andere muss explizit genehmigt werden.
POWERSHELL (ADMIN) - PERIMETER DEFENSE
# 1. PROTOCOL STERILIZATION (ANTI-SNIFFING) # Deaktiviert LLMNR & NetBIOS (verhindert Credential-Leak im LAN) Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0 -Force Get-ChildItem "HKLM:SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" | ForEach-Object { Set-ItemProperty -Path $_.PSPath -Name "NetbiosOptions" -Value 2 -Force } # 2. GLOBAL LOCKDOWN (DEFAULT DENY) # Blockiert ALLES, was nicht explizit erlaubt ist. Set-NetFirewallProfile -Profile Domain,Public,Private -DefaultOutboundAction Block # 3. SURVIVAL RULES (INFRASTRUKTUR) # Ohne diese Regeln hast du kein Internet und keine Zeit-Sync. $Rules = @( @{N="APEX-DNS-UDP"; P="UDP"; RP=53}, # Namensauflösung @{N="APEX-DNS-TCP"; P="TCP"; RP=53}, # DNS Fallback @{N="APEX-DHCP"; P="UDP"; LP=68; RP=67}, # IP-Zuweisung @{N="APEX-NTP"; P="UDP"; RP=123}, # Zeit-Synchronisation @{N="APEX-WEB-HTTP"; P="TCP"; RP=80}, # Web Basic @{N="APEX-WEB-HTTPS"; P="TCP"; RP=443} # Web Secure ) foreach ($R in $Rules) { $Params = @{DisplayName=$R.N; Direction="Outbound"; Protocol=$R.P; Action="Allow"} if ($R.RP) { $Params.Add("RemotePort", $R.RP) } if ($R.LP) { $Params.Add("LocalPort", $R.LP) } New-NetFirewallRule @Params -ErrorAction SilentlyContinue | Out-Null } # ENDE ALLOW RULES # 4. TELEMETRY BINARY BLOCK (LAYER 7 KILL) # Die ultimative Absicherung: Diese Binaries werden namentlich gesperrt. # Das überschreibt selbst versehentlich geöffnete Ports. $Binaries = @( "$env:windir\System32\CompatTelRunner.exe", # Compatibility Telemetry "$env:windir\System32\DeviceCensus.exe" # Device Census ) foreach ($Bin in $Binaries) { New-NetFirewallRule -DisplayName "BLOCK_TELEMETRY" -Direction Outbound -Program $Bin -Action Block -ErrorAction SilentlyContinue | Out-Null }
App Whitelist Templates
Pfade können je nach Installation variieren. Prüfen Sie den Zielort!
STANDARD APPS (OFFICE, BROWSER, MESSENGER)
# --- BROWSER & MAIL ---
New-NetFirewallRule -DisplayName "ALLOW-FIREFOX" -Direction Outbound -Program "${env:ProgramFiles}\Mozilla Firefox\firefox.exe" -Action Allow
New-NetFirewallRule -DisplayName "ALLOW-THUNDERBIRD" -Direction Outbound -Program "${env:ProgramFiles}\Mozilla Thunderbird\thunderbird.exe" -Action Allow
# --- OFFICE SUITE (Pfade anpassen!) ---
$OfficePath = "${env:ProgramFiles}\Microsoft Office\root\Office16"
New-NetFirewallRule -DisplayName "ALLOW-WORD" -Direction Outbound -Program "$OfficePath\WINWORD.EXE" -Action Allow
New-NetFirewallRule -DisplayName "ALLOW-EXCEL" -Direction Outbound -Program "$OfficePath\EXCEL.EXE" -Action Allow
New-NetFirewallRule -DisplayName "ALLOW-POWERPOINT" -Direction Outbound -Program "$OfficePath\POWERPNT.EXE" -Action Allow
New-NetFirewallRule -DisplayName "ALLOW-ONENOTE" -Direction Outbound -Program "$OfficePath\ONENOTE.EXE" -Action Allow
# --- TOOLS ---
New-NetFirewallRule -DisplayName "ALLOW-NOTEPAD++" -Direction Outbound -Program "${env:ProgramFiles}\Notepad++\notepad++.exe" -Action Allow
New-NetFirewallRule -DisplayName "ALLOW-ADOBE-READER" -Direction Outbound -Program "${env:ProgramFiles}\Adobe\Acrobat DC\Acrobat\Acrobat.exe" -Action Allow
# --- COMMUNICATION (STANDARD EXE) ---
New-NetFirewallRule -DisplayName "ALLOW-TELEGRAM" -Direction Outbound -Program "$env:APPDATA\Telegram Desktop\Telegram.exe" -Action Allow
New-NetFirewallRule -DisplayName "ALLOW-SIGNAL" -Direction Outbound -Program "$env:LOCALAPPDATA\Programs\signal-desktop\Signal.exe" -Action Allow
New-NetFirewallRule -DisplayName "ALLOW-DISCORD" -Direction Outbound -Program "$env:LOCALAPPDATA\Discord\Update.exe" -Action Allow
New-NetFirewallRule -DisplayName "ALLOW-ZOOM" -Direction Outbound -Program "$env:APPDATA\Zoom\bin\Zoom.exe" -Action Allow
New-NetFirewallRule -DisplayName "ALLOW-TEAMS" -Direction Outbound -Program "$env:LOCALAPPDATA\Microsoft\Teams\current\Teams.exe" -Action Allow
New-NetFirewallRule -DisplayName "ALLOW-SKYPE" -Direction Outbound -Program "${env:ProgramFiles(x86)}\Microsoft\Skype for Desktop\Skype.exe" -Action Allow
# --- WHATSAPP (DESKTOP EXE) ---
# Für die Store-Version (UWP) ist ein anderer Befehl nötig! Dies ist für die Web-Download Version.
New-NetFirewallRule -DisplayName "ALLOW-WHATSAPP" -Direction Outbound -Program "$env:LOCALAPPDATA\WhatsApp\WhatsApp.exe" -Action Allow
03
Ghost Protocol
Phase 3: Anti-Forensics & Shadow Kill
Ein Geist hinterlässt keine Spuren. Wir deaktivieren Angriffsvektoren (SMBv1, LLMNR). Dieses Skript vernichtet Bypass, Responder, Tunneling, (Fernzugriff) und mehr. Warnung: Remotedesktop wird permanent deaktiviert.
POWERSHELL (ADMIN) - FORENSIC WIPE
# 1. LATERAL MOVEMENT KILL (LLMNR & NetBIOS) # Verhindert "Responder"-Angriffe im LAN Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0 -Force Get-ChildItem "HKLM:SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" | ForEach-Object { Set-ItemProperty -Path $_.PSPath -Name "NetbiosOptions" -Value 2 -Force } # 2. LEGACY PROTOCOL PURGE (SMBv1 & Tunnels) Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "SMB1" -Value 0 -Force Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart -ErrorAction SilentlyContinue # Kill IPv6 Tunneling (Bypass Vector) netsh interface teredo set state disabled netsh interface isatap set state disabled netsh interface 6to4 set state disabled # 3. REMOTE ACCESS TERMINATION # Deaktiviert RDP (Remote Desktop) und Remote Assistance Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1 -Force Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Remote Assistance" -Name "fAllowToGetHelp" -Value 0 -Force
04
Defender God Mode
Powershell 5
Phase 4: Zero Tolerance & ASR Complete
Status: Paranoid Security. Standard-Schutz ist für Zivilisten. Wir aktivieren den "God Mode". Dieses Skript schaltet die Cloud-Heuristik auf "Zero Tolerance" (Unbekannt = Blockiert), aktiviert ALLE Attack Surface Reduction Rules (inkl. LSASS-Schutz) und verriegelt Ordner gegen Ransomware.
POWERSHELL (ADMIN) - GOD MODE ENABLE
# --------------------------------------------------------- # APEX OMEGA PROTOCOL - DEFENDER GOD_MODE (PARANOID SECURITY) # Härtet Microsoft Defender, Firewall und Exploit Guard auf das absolute Maximum. # --------------------------------------------------------- # 1. INITIALISIERUNG $ErrorActionPreference = "Stop" $LogPrefix = "[OMEGA-FORTRESS]" function Write-Log ($Message, $Color="Cyan") { Write-Host "$LogPrefix $Message" -ForegroundColor $Color } # Admin Check $CurrentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) if (-not $CurrentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { Write-Log "FATAL: ADMIN-RECHTE ERFORDERLICH." "Red" exit } Clear-Host Write-Log "INITIALISIERE DEFENDER GOD_MODE..." "Magenta" # --------------------------------------------------------- # 2. HEURISTIK & CLOUD (ZERO TOLERANCE) # --------------------------------------------------------- Write-Log "KONFIGURIERE AGGRESSIVE HEURISTIK..." "Yellow" # MAPS (Microsoft Advanced Protection Service) Beitritt erzwingen für schnellen Cloud-Abgleich Set-MpPreference -MAPSReporting Advanced Set-MpPreference -SubmitSamplesConsent SendSafeSamples # Cloud Block Level: 6 = Zero Tolerance (Blockiert alles Unbekannte) # 2 = High, 4 = HighPlus, 6 = ZeroTolerance Set-MpPreference -CloudBlockLevel 6 Set-MpPreference -CloudExtendedTimeout 50 # Potentially Unwanted Applications (Adware, Cryptominer, Bundler) Set-MpPreference -PUAProtection Enabled # Network Protection (SmartScreen für ALLES, nicht nur Edge) Set-MpPreference -EnableNetworkProtection Enabled # Scans für Wechseldatenträger erzwingen Set-MpPreference -DisableRemovableDriveScanning 0 Set-MpPreference -DisableArchiveScanning 0 # --------------------------------------------------------- # 3. ATTACK SURFACE REDUCTION (THE COMPLETE KILL LIST) # --------------------------------------------------------- Write-Log "AKTIVIERE SÄMTLICHE ASR-REGELN (BLOCK MODE)..." "Red" # Vollständige Liste der ASR GUIDs (Stand 2025) $ASR_Rules = @{ "Block abuse of exploited vulnerable signed drivers" = "56a863a9-875e-4185-98a7-b882c64b5ce5"; "Block Adobe Reader from creating child processes" = "7674ce52-37eb-4751-a02f-8e00ca252d60"; "Block all Office applications from creating child processes" = "d4f940ab-401b-4efc-aadc-ad5f3c50688a"; "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2"; "Block executable content from email client and webmail" = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550"; "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" = "01443614-9b74-4270-a5db-e0883af26276"; "Block execution of potentially obfuscated scripts" = "5beb7efe-fd9a-4556-801d-275e5ffc04cc"; "Block JavaScript or VBScript from launching downloaded executable content" = "d3e037e1-3eb8-44c8-a917-57927947596d"; "Block Office applications from creating executable content" = "3b576869-a4ec-4529-8536-b80a7769e899"; "Block Office applications from injecting code into other processes" = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84"; "Block Office communication application from creating child processes" = "26190899-1602-49e8-8b27-eb1d0a1ce869"; "Block persistence through WMI event subscription" = "e6db77e5-3dde-48c5-9d5b-c63729d70845"; "Block process creations originating from PSExec and WMI commands" = "d1e49aac-8f56-4280-b9ba-993a6d77406c"; "Block untrusted and unsigned processes that run from USB" = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4"; "Block Win32 API calls from Office macros" = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b"; "Use advanced protection against ransomware" = "c1db55ab-c21a-4637-bb3f-a12568109d35" } foreach ($RuleName in $ASR_Rules.Keys) { $ID = $ASR_Rules[$RuleName] try { Add-MpPreference -AttackSurfaceReductionRules_Ids $ID -AttackSurfaceReductionRules_Actions Enabled -ErrorAction Stop Write-Log " >> ASR ACTIVE: $RuleName" "Green" } catch { Write-Log " >> ASR ERROR: $RuleName ($ID)" "DarkGray" } } # --------------------------------------------------------- # 4. RANSOMWARE SCHUTZ (CONTROLLED FOLDER ACCESS) # --------------------------------------------------------- Write-Log "AKTIVIERE SCHREIB-SPERRE FÜR DOKUMENTE..." "Yellow" # Schützt User-Ordner vor Änderungen durch nicht-whitelisted Apps Set-MpPreference -EnableControlledFolderAccess Enabled # --------------------------------------------------------- # 5. FIREWALL HARDENING # --------------------------------------------------------- Write-Log "HÄRTE WINDOWS FIREWALL..." "Cyan" $Profiles = @("Domain", "Public", "Private") foreach ($Profile in $Profiles) { # Blockiert eingehende Verbindungen, die nicht explizit erlaubt sind Set-NetFirewallProfile -Name $Profile -Enabled True -DefaultInboundAction Block # Logging aktivieren (Dropped Packets sehen) Set-NetFirewallProfile -Name $Profile -LogFileName "$env:systemroot\system32\LogFiles\Firewall\pfirewall_$Profile.log" -LogMaxSizeKilobytes 4096 -LogBlocked True -LogAllowed False } Write-Log "------------------------------------------------" "Cyan" Write-Log "APEX OMEGA PROTOCOL: FORTRESS MODE AKTIV." "Green" Write-Log "HINWEIS: Unbekannte .exe Dateien werden nun aggressiv blockiert." "Yellow" Write-Log "HINWEIS: 'Controlled Folder Access' muss ggf. manuell für Spiele erlaubt werden." "Yellow" Write-Log "------------------------------------------------" "Cyan"
Gatekeeper Protocol
Powershell 5
Phase Freedom: Temporary Access Control
Status: Interactive Shell. Wenn der "God Mode" ein Spiel oder Update blockiert, nutze nicht die Windows-Einstellungen. Nutze den Gatekeeper.
Dieses Skript öffnet die Luftschleuse kontrolliert (Schilde runter), hält die Verbindung offen, bis du fertig bist (Warteschleife), und erzwingt danach sofort wieder den Fortress Mode (Zero Tolerance).
POWERSHELL (ADMIN) - GATEKEEPER
<# .SYNOPSIS APEX OMEGA PROTOCOL - GATEKEEPER (TEMPORARY ACCESS) Öffnet temporär die Sicherheits-Schleusen für Installationen/Updates und verriegelt das System danach wieder hermetisch. #> $ErrorActionPreference = "Stop" # Farben für Output $ColorGreen = "Green" $ColorRed = "Red" $ColorYellow = "Yellow" $ColorCyan = "Cyan" function Print-Banner { Clear-Host Write-Host "==============================================" -ForegroundColor $ColorCyan Write-Host " APEX OMEGA: GATEKEEPER INTERFACE " -ForegroundColor $ColorCyan Write-Host "==============================================" -ForegroundColor $ColorCyan Write-Host "" } # 1. Admin Check $CurrentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) if (-not $CurrentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { Write-Host "FATAL: KEINE ADMIN-RECHTE." -ForegroundColor $ColorRed Write-Host "Bitte Rechtsklick -> 'Mit PowerShell ausführen'" -ForegroundColor $ColorRed Start-Sleep -Seconds 5 exit } Print-Banner # --------------------------------------------------------- # PHASE 1: SCHILDE SENKEN # --------------------------------------------------------- Write-Host "[STATUS] SYSTEM WIRD ENRIEGELT..." -ForegroundColor $ColorYellow try { # Cloud Level normalisieren (Standard Windows Level) Set-MpPreference -CloudBlockLevel 0 Write-Host " >> CLOUD SCANNER: NORMALISIERT (Level 0)" -ForegroundColor $ColorYellow # Ransomware Schutz temporär aus Set-MpPreference -EnableControlledFolderAccess Disabled Write-Host " >> ORDNER-SCHUTZ: DEAKTIVIERT (Schreiben erlaubt)" -ForegroundColor $ColorYellow # Netzwerk Schutz auf Audit (Beobachten statt Blocken) Set-MpPreference -EnableNetworkProtection AuditMode Write-Host " >> NETZWERK-GUARD: AUDIT MODE" -ForegroundColor $ColorYellow # PUA auf Audit Set-MpPreference -PUAProtection AuditMode Write-Host " >> PUA-ERKENNUNG: AUDIT MODE" -ForegroundColor $ColorYellow } catch { Write-Host "FEHLER BEIM SENKEN DER SCHILDE: $($_.Exception.Message)" -ForegroundColor $ColorRed Read-Host "Drücke Enter zum Beenden..." exit } # --------------------------------------------------------- # PHASE 2: WARTE-SCHLEIFE # --------------------------------------------------------- Write-Host "" Write-Host "==============================================" -ForegroundColor $ColorRed Write-Host " WARNUNG: SCHILDE SIND UNTEN (DEFCON 5) " -ForegroundColor $ColorRed Write-Host "==============================================" -ForegroundColor $ColorRed Write-Host "" Write-Host "1. Führe jetzt deine Installation / dein Spiel aus." -ForegroundColor $ColorGreen Write-Host "2. Wenn alles fertig ist, komme hierher zurück." -ForegroundColor $ColorGreen Write-Host "" $null = Read-Host "Drücke [ENTER] um die Schilde wieder hochzufahren (LOCKDOWN)" # --------------------------------------------------------- # PHASE 3: RE-INITIALISIERUNG (FORTRESS MODE) # --------------------------------------------------------- Print-Banner Write-Host "[STATUS] RE-INITIALISIERUNG DER SICHERHEITSPROTOKOLLE..." -ForegroundColor $ColorCyan try { # Cloud Level auf PARANOID Set-MpPreference -CloudBlockLevel 6 Write-Host " >> CLOUD SCANNER: ZERO TOLERANCE (Level 6)" -ForegroundColor $ColorGreen # Ransomware Schutz AN Set-MpPreference -EnableControlledFolderAccess Enabled Write-Host " >> ORDNER-SCHUTZ: AKTIV (BLOCK MODE)" -ForegroundColor $ColorGreen # Netzwerk Schutz AN Set-MpPreference -EnableNetworkProtection Enabled Write-Host " >> NETZWERK-GUARD: AKTIV (BLOCK MODE)" -ForegroundColor $ColorGreen # PUA AN Set-MpPreference -PUAProtection Enabled Write-Host " >> PUA-ERKENNUNG: AKTIV (BLOCK MODE)" -ForegroundColor $ColorGreen # Kurzer Check der ASR Regeln (Sicherstellen, dass sie aktiv bleiben) # Wir setzen hier exemplarisch eine kritische Regel neu, um den Status zu forcieren Add-MpPreference -AttackSurfaceReductionRules_Ids "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" -AttackSurfaceReductionRules_Actions Enabled Write-Host " >> ASR REGELWERK: VERIFIZIERT" -ForegroundColor $ColorGreen } catch { Write-Host "FATALER FEHLER BEIM RE-AKTIVIEREN: $($_.Exception.Message)" -ForegroundColor $ColorRed Write-Host "BITTE SYSTEM NEUSTARTEN UM STANDARD WIEDERHERZUSTELLEN." -ForegroundColor $ColorRed Read-Host "Enter..." exit } Write-Host "" Write-Host "==============================================" -ForegroundColor $ColorGreen Write-Host " SYSTEMSTATUS: FORTRESS (SECURE) " -ForegroundColor $ColorGreen Write-Host "==============================================" -ForegroundColor $ColorGreen Start-Sleep -Seconds 2
TOTAL ISOLATION
Powershell 5
Phase Exodus: Windows Update & Ping Kill
⚠️ WARNUNG: IRREVERSIBLE ISOLATION
Dieses Protokoll ist die "Nuclear Option". Es deaktiviert nicht nur Telemetrie, sondern zerstört den Windows Update Dienst (Medic & Orchestrator) und leitet Microsoft-Server ins Leere (Null-Routing).
KONSEQUENZEN:
1. Keine Sicherheits-Updates mehr.
2. Microsoft Store funktioniert nicht mehr.
3. Rückgängig machen erfordert manuelle Registry-Eingriffe.
Benutzung auf eigene Gefahr. Du bist jetzt dein eigener Sicherheits-Admin.
POWERSHELL (ADMIN) - SILENCE PROTOCOL
# --------------------------------------------------------- # APEX OMEGA PROTOCOL - WINDOWS SILENCE (TOTAL ISOLATION) # Blockiert sämtliche Telemetrie, Datenübertragung und Windows-Updates. # --------------------------------------------------------- # 1. INITIALISIERUNG $ErrorActionPreference = "Stop" $LogPrefix = "[OMEGA-SILENCE]" function Write-Log ($Message, $Color="Cyan") { Write-Host "$LogPrefix $Message" -ForegroundColor $Color } function Set-RegistryValue { param($Path, $Name, $Value, $Type="DWord") try { if (!(Test-Path $Path)) { New-Item -Path $Path -Force | Out-Null } Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type $Type -Force | Out-Null Write-Log " >> REG SET: $Name = $Value" "Green" } catch { Write-Log " >> REG ERROR: $($_.Exception.Message)" "Red" } } function Kill-Service { param($Name) try { $Service = Get-Service -Name $Name -ErrorAction SilentlyContinue if ($Service) { if ($Service.Status -ne "Stopped") { Stop-Service -Name $Name -Force -ErrorAction SilentlyContinue } # Versuch 1: Standard Set-Service -Name $Name -StartupType Disabled -ErrorAction SilentlyContinue Write-Log " >> SERVICE NEUTRALISIERT: $Name" "Green" } } catch { Write-Log " >> SERVICE LOCK DETECTED: $Name (Erzwinge Registry-Override...)" "Yellow" } # Versuch 2: Registry Hard-Kill (Für Medic Service notwendig, da oft geschützt) $RegPath = "HKLM:\SYSTEM\CurrentControlSet\Services\$Name" if (Test-Path $RegPath) { Set-RegistryValue -Path $RegPath -Name "Start" -Value 4 } } # Admin Check $CurrentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) if (-not $CurrentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { Write-Log "FATAL: ADMIN-RECHTE ERFORDERLICH. STARTE ALS ADMINISTRATOR NEU." "Red" exit } Clear-Host Write-Log "INITIALISIERE DIGITALE ISOLATION..." "Magenta" # --------------------------------------------------------- # 2. UPDATE ENGINE LOBOTOMY # --------------------------------------------------------- Write-Log "DEAKTIVIERE WINDOWS UPDATE INFRASTRUKTUR..." "Red" # WICHTIG: Die Reihenfolge ist entscheidend. Erst Orchestrator und Medic töten. Kill-Service "WaaSMedicSvc" # Windows Update Medic Service (Der "Heiler") Kill-Service "UsoSvc" # Update Orchestrator (Der "Planer") Kill-Service "wuauserv" # Windows Update Core Kill-Service "bits" # Background Intelligent Transfer Kill-Service "dosvc" # Delivery Optimization (P2P Updates) # Registry Policies (Der "Policy Hammer") $RegAU = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" $RegWU = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" # NoAutoUpdate = 1 (Deaktiviert automatische Updates komplett) Set-RegistryValue -Path $RegAU -Name "NoAutoUpdate" -Value 1 # AUOptions = 2 (Benachrichtigen vor Download - falls manuell gesucht wird) Set-RegistryValue -Path $RegAU -Name "AUOptions" -Value 2 # Verbindungen blockieren Set-RegistryValue -Path $RegWU -Name "DoNotConnectToWindowsUpdateInternetLocations" -Value 1 Set-RegistryValue -Path $RegWU -Name "ExcludeWUDriversInQualityUpdate" -Value 1 # --------------------------------------------------------- # 3. TELEMETRY DECAPITATION # --------------------------------------------------------- Write-Log "NEUTRALISIERE TELEMETRIE-SENSOREN..." "Yellow" # Dienste Kill-Service "DiagTrack" # Connected User Experiences and Telemetry Kill-Service "dmwappushservice" # Device Management Wireless Application Protocol Kill-Service "WerSvc" # Windows Error Reporting Kill-Service "PcaSvc" # Program Compatibility Assistant # Registry Policies $RegData = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" # AllowTelemetry = 0 (Security Level - Minimum) Set-RegistryValue -Path $RegData -Name "AllowTelemetry" -Value 0 Set-RegistryValue -Path $RegData -Name "DoNotShowFeedbackNotifications" -Value 1 # Application Inventory deaktivieren $RegAppCompat = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat" Set-RegistryValue -Path $RegAppCompat -Name "AITEnable" -Value 0 Set-RegistryValue -Path $RegAppCompat -Name "DisableInventory" -Value 1 # --------------------------------------------------------- # 4. SCHEDULER PURGE (GEPLANTE SPIONAGE) # --------------------------------------------------------- Write-Log "LÖSCHE GEPLANTE TELEMETRIE-TASKS..." "Cyan" $Tasks = @( "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser", "\Microsoft\Windows\Application Experience\ProgramDataUpdater", "\Microsoft\Windows\Application Experience\StartupAppTask", "\Microsoft\Windows\Autochk\Proxy", "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator", "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip", "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector", "\Microsoft\Windows\Maintenance\WinSAT", "\Microsoft\Windows\Media Center\ActivateWindowsSearch", "\Microsoft\Windows\Windows Error Reporting\QueueReporting" ) foreach ($TaskPath in $Tasks) { try { $TaskExists = Get-ScheduledTask -TaskPath $TaskPath.Split('\')[0..($TaskPath.Split('\').Count-2)] -TaskName $TaskPath.Split('\')[-1] -ErrorAction SilentlyContinue if ($TaskExists) { Disable-ScheduledTask -TaskName $TaskPath.Split('\')[-1] -ErrorAction SilentlyContinue | Out-Null Write-Log " >> TASK DEAKTIVIERT: $TaskPath" "Green" } } catch { Write-Log " >> TASK NICHT GEFUNDEN ODER ZUGRIFF VERWEIGERT: $TaskPath" "DarkGray" } } # --------------------------------------------------------- # 5. NETWORK NULL-ROUTING (HOSTS & FIREWALL) # --------------------------------------------------------- Write-Log "SCHREIBE HOSTS-DATEI (DNS SINKHOLE)..." "Magenta" $HostsPath = "$env:windir\System32\drivers\etc\hosts" $BlockedDomains = @( "v10.events.data.microsoft.com", "v20.events.data.microsoft.com", "browser.pipe.aria.microsoft.com", "settings-win.data.microsoft.com", "watson.telemetry.microsoft.com", "telemetry.microsoft.com", "telemetry.urs.microsoft.com", "oca.telemetry.microsoft.com", "oca.telemetry.microsoft.com.nsatc.net", "sqm.telemetry.microsoft.com", "sqm.telemetry.microsoft.com.nsatc.net" ) # Backup erstellen if (!(Test-Path "$HostsPath.bak")) { Copy-Item $HostsPath "$HostsPath.bak" Write-Log " >> HOSTS BACKUP ERSTELLT." "Green" } try { $CurrentContent = Get-Content $HostsPath -Raw $NewContent = $CurrentContent $Additions = $false foreach ($Domain in $BlockedDomains) { if ($CurrentContent -notmatch $Domain) { $Entry = "`n0.0.0.0 $Domain" $NewContent += $Entry $Additions = $true Write-Log " >> HOSTS ENTRY ADDED: $Domain" "Green" } } if ($Additions) { Set-Content -Path $HostsPath -Value $NewContent -Force } else { Write-Log " >> HOSTS BEREITS OPTIMIERT." "Yellow" } } catch { Write-Log " >> ERROR WRITING HOSTS: $($_.Exception.Message)" "Red" } # --------------------------------------------------------- # 6. FINAL CLEANUP & REPORT # --------------------------------------------------------- Write-Log "------------------------------------------------" "Cyan" Write-Log "APEX OMEGA PROTOCOL ABGESCHLOSSEN." "Green" Write-Log "SYSTEMSTATUS: ISOLIERT." "Green" Write-Log "WARNUNG: REBOOT ERFORDERLICH, UM GESPERRTE SERVICES (MEDIC) ZU ENTLADEN." "Red" Write-Log "------------------------------------------------" "Cyan" # Optional: Cache leeren Write-Log "BEREINIGE DNS CACHE..." "Yellow" Clear-DnsClientCache
05
App Liberation
Phase 5: Store Bypass
LTSC-Systeme haben keinen Microsoft Store. Das ist ein Feature, kein Bug.
Um dennoch moderne Apps (WhatsApp, Netflix, etc.) zu nutzen, injizieren wir signierte .appx / .msixbundle Pakete direkt in den Kernel.
Quelle: store.rg-adguard.net (Generiert Direkt-Links von MS-Servern).
POWERSHELL (ADMIN)
# Installiert ein heruntergeladenes Paket Add-AppxPackage -Path "C:\Users\DeinUser\Downloads\AppPackage.msixbundle"
5.1
Developer Integrity
Phase 5.1: GodMode & Compiler Safety
Für Programmierer und Architekten. Wir aktivieren den versteckten "Ultimate Performance" Plan für maximale CPU-Taktraten (latenzfrei). Zusätzlich erstellen wir den GodMode Ordner für direkten Kernel-Zugriff und definieren eine Defender-Exclusion-Zone auf dem Desktop, damit Compiler und Skripte nicht blockiert werden.
POWERSHELL (ADMIN)
# 1. Ultimate Performance Plan aktivieren powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61 # 2. GodMode Ordner auf Desktop erstellen (Admin-Dashboard) New-Item -Path "$env:USERPROFILE\Desktop\GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}" -ItemType Directory -Force # 3. Dev-Bunker erstellen (Sicherer Hafen für Code) $DevPath = "$env:USERPROFILE\Desktop\Dev_Bunker" if (!(Test-Path $DevPath)) { New-Item -Path $DevPath -ItemType Directory -Force } # 4. Defender-Ausnahme setzen (Verhindert False-Positives bei Compilern) Add-MpPreference -ExclusionPath $DevPath Write-Host "[!] $DevPath ist nun eine Defender-freie Zone." -ForegroundColor Yellow
06
Protocol Zero Powershell 5
Phase 6: Forensic Sterilization
"Burn After Reading". Verhindert forensische Wiederherstellung. Deaktiviert Fast Boot (für VeraCrypt Integrität), löscht RAM beim Shutdown und tötet Schattenkopien. ACHTUNG: Unwiderruflich.
WARNUNG: DESTRUKTIVE BEFEHLE
# 1. FAST BOOT KILL (Zwingend für VeraCrypt/Encryption) Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Power" -Name "HiberbootEnabled" -Value 0 # 2. PAGEFILE CLEANUP (Löscht RAM-Auslagerung beim Shutdown) Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name "ClearPageFileAtShutdown" -Value 1 # 3. FORENSIK KILL (Löscht alle Schattenkopien/Snapshots) vssadmin delete shadows /all /quiet Set-Service -Name "VSS" -StartupType Disabled Write-Host "[!!!] PROTOCOL ZERO EXECUTED. SYSTEM STERILIZED." -ForegroundColor Red