PowerShell Security Best Practices
Download
Report
Transcript PowerShell Security Best Practices
POWERSHELL SECURITY
BEST PRACTICES
Lee Holmes | @Lee_Holmes
Principal SDE |Windows PowerShell | Microsoft
ABOUT ME
Security geek
Developer on the Windows PowerShell team since V1
Author of the Windows PowerShell Cookbook, PowerShellCookbook.com, and
Windows PowerShell Pocket Reference
@Lee_Holmes & leeholmes.com/blog
POWERSHELL THE SHELL
OPERATIONAL SECURITY
What about Execution Policy?
PowerShell Remoting
Scripts Executables
Dealing with Forensics
POWERSHELL THE SHELL
OPERATIONAL SECURITY – EXECUTION POLICY
POWERSHELL THE SHELL
OPERATIONAL SECURITY – EXECUTION POLICY
Not a user restriction
Not a magical form of Antimalware
POWERSHELL THE SHELL
OPERATIONAL SECURITY – POWERSHELL REMOTING
You
Remoting
Host
Understanding the Double-Hop problem
Authentication: Kerberos vs. CredSSP – Pass the Hash?
Accessing Remote Resources
Files
POWERSHELL THE SHELL
OPERATIONAL SECURITY – SCRIPTS EXECUTABLES
Moving to Post-Exploitation defense
“I want to secure my system against C++ attacks”
Making sense of holistic system lockdown
POWERSHELL THE SHELL
OPERATIONAL SECURITY – DEALING WITH FORENSICS
@HackingDave
@ObscureSec / @Mattifestation
“Living off the Land”
@JosephBialek
“Reflective DLL Injection”
POWERSHELL THE SHELL
OPERATIONAL SECURITY – DEALING WITH FORENSICS
Preventing unrestricted admin access
System-wide Transcripts
Automatic Module logging
Detecting attacks on mitigations
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY
Script Encryption / Obfuscation
Avoiding Code Injection
Avoiding Hard-Coded Secrets
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY - SCRIPT ENCRYPTION / OBFUSCATION
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY - SCRIPT ENCRYPTION / OBFUSCATION
Answer: Don’t.
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY - PREVENTING CODE INJECTION
When dealing with dynamic commands or
parameters, it’s common to fall back to old
programming practices: system(), eval(), exec()
Maybe Invoke-Expression?
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY – AVOIDING CODE INJECTION
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY – AVOIDING CODE INJECTION
Parameters support variables
Commands support splatting
Invocation supports indirection
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY – AVOIDING CODE INJECTION
But I REALLY need to!
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY – AVOIDING CODE INJECTION
But I REALLY need to!
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY - AVOIDING HARD-CODED SECRETS
Data protection through Windows’
Data Protection API (DPAPI)
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY - AVOIDING HARD-CODED SECRETS
Export / Import CliXml
ConvertFrom / ConvertTo SecureString
RESOURCES
Reflective DLL Loading with PowerShell:
http://www.youtube.com/watch?v=OAd68_SYQc8
Living off the Land:
http://www.youtube.com/watch?v=j-r6UonEkUw
Get-Help about_Group_Policy_Settings
http://technet.microsoft.com/en-us/library/jj149004.aspx
Constrained PowerShell Endpoints
http://www.youtube.com/watch?v=kmjJLKlL1Wg
PowerShell Language Specification:
http://www.microsoft.com/en-us/download/details.aspx?id=36389
Composing Command Arguments:
http://www.powershellcookbook.com/recipe/XoMw/run-programs-scripts-and-existingtools