POWERSHELL SECURITY BEST PRACTICESLee Holmes | @Lee_HolmesPrincipal SDE |Windows PowerShell | Microsoft
ABOUT ME
Security geek Developer on the Windows PowerShell team since V1 Author of the Windows PowerShell Cookbook, PowerShellCookbook.com, and
Windows PowerShell Pocket Reference @Lee_Holmes & leeholmes.com/blog
POWERSHELL THE SHELLOPERATIONAL SECURITY
What about Execution Policy? PowerShell Remoting Scripts Executables Dealing with Forensics
POWERSHELL THE SHELLOPERATIONAL SECURITY – EXECUTION POLICY
POWERSHELL THE SHELLOPERATIONAL SECURITY – EXECUTION POLICY
Not a user restrictionNot a magical form of Antimalware
POWERSHELL THE SHELLOPERATIONAL SECURITY – POWERSHELL REMOTING
You Remoting Host Files
Understanding the Double-Hop problemAuthentication: Kerberos vs. CredSSP – Pass the Hash?Accessing Remote Resources
POWERSHELL THE SHELLOPERATIONAL SECURITY – SCRIPTS EXECUTABLES
Moving to Post-Exploitation defense“I want to secure my system against C++ attacks”Making sense of holistic system lockdown
POWERSHELL THE SHELLOPERATIONAL SECURITY – DEALING WITH FORENSICS
@HackingDave@ObscureSec / @Mattifestation
“Living off the Land”
@JosephBialek“Reflective DLL Injection”
POWERSHELL THE SHELLOPERATIONAL SECURITY – DEALING WITH FORENSICS
Preventing unrestricted admin accessSystem-wide TranscriptsAutomatic Module loggingDetecting attacks on mitigations
POWERSHELL THE LANGUAGESCRIPTING SECURITY
Script Encryption / Obfuscation Avoiding Code Injection Avoiding Hard-Coded Secrets
POWERSHELL THE LANGUAGESCRIPTING SECURITY - SCRIPT ENCRYPTION / OBFUSCATION
POWERSHELL THE LANGUAGESCRIPTING SECURITY - SCRIPT ENCRYPTION / OBFUSCATION
Answer: Don’t.
POWERSHELL THE LANGUAGESCRIPTING SECURITY - PREVENTING CODE INJECTION
When dealing with dynamic commands or parameters, it’s common to fall back to old programming practices: system(), eval(), exec()
Maybe Invoke-Expression?
POWERSHELL THE LANGUAGESCRIPTING SECURITY – AVOIDING CODE INJECTION
POWERSHELL THE LANGUAGESCRIPTING SECURITY – AVOIDING CODE INJECTION
Parameters support variablesCommands support splattingInvocation supports indirection
POWERSHELL THE LANGUAGESCRIPTING SECURITY – AVOIDING CODE INJECTION
But I REALLY need to!
POWERSHELL THE LANGUAGESCRIPTING SECURITY – AVOIDING CODE INJECTION
But I REALLY need to!
POWERSHELL THE LANGUAGESCRIPTING SECURITY - AVOIDING HARD-CODED SECRETS
Data protection through Windows’ Data Protection API (DPAPI)
POWERSHELL THE LANGUAGESCRIPTING SECURITY - AVOIDING HARD-CODED SECRETS
Export / Import CliXmlConvertFrom / ConvertTo SecureString
RESOURCES Reflective DLL Loading with PowerShell:
http://www.youtube.com/watch?v=OAd68_SYQc8 Living off the Land:
http://www.youtube.com/watch?v=j-r6UonEkUw Get-Help about_Group_Policy_Settings
http://technet.microsoft.com/en-us/library/jj149004.aspx Constrained PowerShell Endpoints
http://www.youtube.com/watch?v=kmjJLKlL1Wg PowerShell Language Specification:
http://www.microsoft.com/en-us/download/details.aspx?id=36389 Composing Command Arguments:
http://www.powershellcookbook.com/recipe/XoMw/run-programs-scripts-and-existing-tools