powershell security best practices lee holmes | @lee_holmes principal sde |windows powershell |...
TRANSCRIPT
POWERSHELL SECURITY BEST PRACTICESLee Holmes | @Lee_HolmesPrincipal SDE |Windows PowerShell | Microsoft
ABOUT ME
Security geek
Developer on the Windows PowerShell team since V1
Author of the Windows PowerShell Cookbook, PowerShellCookbook.com, and Windows PowerShell Pocket Reference
@Lee_Holmes & leeholmes.com/blog
POWERSHELL THE SHELLOPERATIONAL SECURITY
What about Execution Policy?
PowerShell Remoting
Scripts Executables
Dealing with Forensics
POWERSHELL THE SHELLOPERATIONAL SECURITY – EXECUTION POLICY
Not a user restrictionNot a magical form of Antimalware
POWERSHELL THE SHELLOPERATIONAL SECURITY – POWERSHELL REMOTING
YouRemoting
HostFiles
Understanding the Double-Hop problemAuthentication: Kerberos vs. CredSSP – Pass the Hash?Accessing Remote Resources
POWERSHELL THE SHELLOPERATIONAL SECURITY – SCRIPTS EXECUTABLES
Moving to Post-Exploitation defense“I want to secure my system against C++ attacks”Making sense of holistic system lockdown
POWERSHELL THE SHELLOPERATIONAL SECURITY – DEALING WITH FORENSICS
@HackingDave@ObscureSec / @Mattifestation
“Living off the Land”
@JosephBialek“Reflective DLL Injection”
POWERSHELL THE SHELLOPERATIONAL SECURITY – DEALING WITH FORENSICS
Preventing unrestricted admin accessSystem-wide TranscriptsAutomatic Module loggingDetecting attacks on mitigations
POWERSHELL THE LANGUAGESCRIPTING SECURITY
Script Encryption / Obfuscation
Avoiding Code Injection
Avoiding Hard-Coded Secrets
POWERSHELL THE LANGUAGESCRIPTING SECURITY - PREVENTING CODE INJECTION
When dealing with dynamic commands or parameters, it’s common to fall back to old programming practices: system(), eval(), exec()
Maybe Invoke-Expression?
POWERSHELL THE LANGUAGESCRIPTING SECURITY – AVOIDING CODE INJECTION
Parameters support variablesCommands support splattingInvocation supports indirection
POWERSHELL THE LANGUAGESCRIPTING SECURITY - AVOIDING HARD-CODED SECRETS
Data protection through Windows’ Data Protection API (DPAPI)
POWERSHELL THE LANGUAGESCRIPTING SECURITY - AVOIDING HARD-CODED SECRETS
Export / Import CliXmlConvertFrom / ConvertTo SecureString
RESOURCES
Reflective DLL Loading with PowerShell: http://www.youtube.com/watch?v=OAd68_SYQc8
Living off the Land: http://www.youtube.com/watch?v=j-r6UonEkUw
Get-Help about_Group_Policy_Settingshttp://technet.microsoft.com/en-us/library/jj149004.aspx
Constrained PowerShell Endpointshttp://www.youtube.com/watch?v=kmjJLKlL1Wg
PowerShell Language Specification: http://www.microsoft.com/en-us/download/details.aspx?id=36389
Composing Command Arguments: http://www.powershellcookbook.com/recipe/XoMw/run-programs-scripts-and-existing-tools