Transcript PowerShell Security Best Practices

POWERSHELL SECURITY
BEST PRACTICES
Lee Holmes | @Lee_Holmes
Principal SDE |Windows PowerShell | Microsoft
ABOUT ME

Security geek

Developer on the Windows PowerShell team since V1

Author of the Windows PowerShell Cookbook, PowerShellCookbook.com, and
Windows PowerShell Pocket Reference

@Lee_Holmes & leeholmes.com/blog
POWERSHELL THE SHELL
OPERATIONAL SECURITY

What about Execution Policy?

PowerShell Remoting

Scripts  Executables

Dealing with Forensics
POWERSHELL THE SHELL
OPERATIONAL SECURITY – EXECUTION POLICY
POWERSHELL THE SHELL
OPERATIONAL SECURITY – EXECUTION POLICY
Not a user restriction
Not a magical form of Antimalware
POWERSHELL THE SHELL
OPERATIONAL SECURITY – POWERSHELL REMOTING
You
Remoting
Host
Understanding the Double-Hop problem
Authentication: Kerberos vs. CredSSP – Pass the Hash?
Accessing Remote Resources
Files
POWERSHELL THE SHELL
OPERATIONAL SECURITY – SCRIPTS  EXECUTABLES
Moving to Post-Exploitation defense
“I want to secure my system against C++ attacks”
Making sense of holistic system lockdown
POWERSHELL THE SHELL
OPERATIONAL SECURITY – DEALING WITH FORENSICS
@HackingDave
@ObscureSec / @Mattifestation
“Living off the Land”
@JosephBialek
“Reflective DLL Injection”
POWERSHELL THE SHELL
OPERATIONAL SECURITY – DEALING WITH FORENSICS
Preventing unrestricted admin access
System-wide Transcripts
Automatic Module logging
Detecting attacks on mitigations
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY

Script Encryption / Obfuscation

Avoiding Code Injection

Avoiding Hard-Coded Secrets
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY - SCRIPT ENCRYPTION / OBFUSCATION
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY - SCRIPT ENCRYPTION / OBFUSCATION
Answer: Don’t.
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY - PREVENTING CODE INJECTION
When dealing with dynamic commands or
parameters, it’s common to fall back to old
programming practices: system(), eval(), exec()
Maybe Invoke-Expression?
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY – AVOIDING CODE INJECTION
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY – AVOIDING CODE INJECTION
Parameters support variables
Commands support splatting
Invocation supports indirection
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY – AVOIDING CODE INJECTION
But I REALLY need to!
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY – AVOIDING CODE INJECTION
But I REALLY need to!
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY - AVOIDING HARD-CODED SECRETS
Data protection through Windows’
Data Protection API (DPAPI)
POWERSHELL THE LANGUAGE
SCRIPTING SECURITY - AVOIDING HARD-CODED SECRETS
Export / Import CliXml
ConvertFrom / ConvertTo SecureString
RESOURCES

Reflective DLL Loading with PowerShell:
http://www.youtube.com/watch?v=OAd68_SYQc8

Living off the Land:
http://www.youtube.com/watch?v=j-r6UonEkUw

Get-Help about_Group_Policy_Settings
http://technet.microsoft.com/en-us/library/jj149004.aspx

Constrained PowerShell Endpoints
http://www.youtube.com/watch?v=kmjJLKlL1Wg

PowerShell Language Specification:
http://www.microsoft.com/en-us/download/details.aspx?id=36389

Composing Command Arguments:
http://www.powershellcookbook.com/recipe/XoMw/run-programs-scripts-and-existingtools