POWERSHELL SECURITY BEST PRACTICESLee Holmes | @Lee_HolmesPrincipal SDE |Windows PowerShell | Microsoft

ABOUT ME

Security geek

Developer on the Windows PowerShell team since V1

Author of the Windows PowerShell Cookbook, PowerShellCookbook.com, and Windows PowerShell Pocket Reference

@Lee_Holmes & leeholmes.com/blog

POWERSHELL THE SHELLOPERATIONAL SECURITY

What about Execution Policy?

PowerShell Remoting

Scripts Executables

Dealing with Forensics

POWERSHELL THE SHELLOPERATIONAL SECURITY – EXECUTION POLICY

POWERSHELL THE SHELLOPERATIONAL SECURITY – EXECUTION POLICY

Not a user restrictionNot a magical form of Antimalware

POWERSHELL THE SHELLOPERATIONAL SECURITY – POWERSHELL REMOTING

YouRemoting

HostFiles

Understanding the Double-Hop problemAuthentication: Kerberos vs. CredSSP – Pass the Hash?Accessing Remote Resources

POWERSHELL THE SHELLOPERATIONAL SECURITY – SCRIPTS EXECUTABLES

Moving to Post-Exploitation defense“I want to secure my system against C++ attacks”Making sense of holistic system lockdown

POWERSHELL THE SHELLOPERATIONAL SECURITY – DEALING WITH FORENSICS

@HackingDave@ObscureSec / @Mattifestation

“Living off the Land”

@JosephBialek“Reflective DLL Injection”

POWERSHELL THE SHELLOPERATIONAL SECURITY – DEALING WITH FORENSICS

Preventing unrestricted admin accessSystem-wide TranscriptsAutomatic Module loggingDetecting attacks on mitigations

POWERSHELL THE LANGUAGESCRIPTING SECURITY

Script Encryption / Obfuscation

Avoiding Code Injection

Avoiding Hard-Coded Secrets

POWERSHELL THE LANGUAGESCRIPTING SECURITY - SCRIPT ENCRYPTION / OBFUSCATION

POWERSHELL THE LANGUAGESCRIPTING SECURITY - SCRIPT ENCRYPTION / OBFUSCATION

Answer: Don’t.

POWERSHELL THE LANGUAGESCRIPTING SECURITY - PREVENTING CODE INJECTION

When dealing with dynamic commands or parameters, it’s common to fall back to old programming practices: system(), eval(), exec()

Maybe Invoke-Expression?

POWERSHELL THE LANGUAGESCRIPTING SECURITY – AVOIDING CODE INJECTION

POWERSHELL THE LANGUAGESCRIPTING SECURITY – AVOIDING CODE INJECTION

Parameters support variablesCommands support splattingInvocation supports indirection

POWERSHELL THE LANGUAGESCRIPTING SECURITY – AVOIDING CODE INJECTION

But I REALLY need to!

POWERSHELL THE LANGUAGESCRIPTING SECURITY – AVOIDING CODE INJECTION

But I REALLY need to!

POWERSHELL THE LANGUAGESCRIPTING SECURITY - AVOIDING HARD-CODED SECRETS

Data protection through Windows’ Data Protection API (DPAPI)

POWERSHELL THE LANGUAGESCRIPTING SECURITY - AVOIDING HARD-CODED SECRETS

Export / Import CliXmlConvertFrom / ConvertTo SecureString

RESOURCES

Reflective DLL Loading with PowerShell: http://www.youtube.com/watch?v=OAd68_SYQc8

Living off the Land: http://www.youtube.com/watch?v=j-r6UonEkUw

Get-Help about_Group_Policy_Settingshttp://technet.microsoft.com/en-us/library/jj149004.aspx

Constrained PowerShell Endpointshttp://www.youtube.com/watch?v=kmjJLKlL1Wg

PowerShell Language Specification: http://www.microsoft.com/en-us/download/details.aspx?id=36389

Composing Command Arguments: http://www.powershellcookbook.com/recipe/XoMw/run-programs-scripts-and-existing-tools