Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing PowerShell - TechUG December 2020

Guy Leech
December 09, 2020

Securing PowerShell - TechUG December 2020

Guy explores some PowerShell best practices for keeping your scripts and environment secure and prepare you for the bad guys and girls who will use your own PowerShell set up against you. He’ll also explore some auditing best practices.

Guy Leech

December 09, 2020
Tweet

More Decks by Guy Leech

Other Decks in Technology

Transcript

  1. WHAT IS THE THREAT FROM POWERSHELL  Is it any

    worse than vbs or VBA?  PowerShell "advanced" features  Platform Invoke (P/Invoke) – can run any .NET or Windows API  Web/REST requests  Registry provider (amongst others)  WMI/CIM (but can also get/manipulate through wmic.exe & wbemtest.exe)  Remoting  Still only going to run with privileges of the invoking user (unless a vulnerability is exploited)
  2. DO YOU NEED TO ALLOW POWERSHELL  If not all

    use Image File Execution Options to simply block PowerShell for all users (Debugger = svchost.exe)  Will a custom ACL on powershell.exe suffice?  Have to change ownership from TrustedInstaller which increases attack surface  Beware of copies of PowerShell.exe  Replace powershell.exe with a custom exe  Do not forget powershell_ise.exe and syswow64 (32 bit)  File Type Associations "Run with PowerShell" – knock out in registry  AppLocker, Device Guard or third party products like Ivanti Application Control (was AppSense Application Manager)
  3. GPOS ARE NOT ENOUGH  Unlike for cmd.exe, regedit.exe &

    taskmgr.exe there is no GPO to stop PowerShell.exe "launching"  What doesn't stop the determined (& don't think "my users aren't that smart")  Disable run (Office macros can do anything (except solve global warming))  Hide C: drive  Execution policies  Weak, especially if you are an admin or have access to internet search engines
  4. POWERSHELL CONSTRAINED LANGUAGE MODE  Restricts the features to "core"

    (effectively excludes using .NET)  Enabled via system environment variable __PSLockDownPolicy  So applies to all users  In reality, breaks a lot of scripts
  5. AUDITING POWERSHELL  Always assume you will be compromised/attacked/hacked 

    PowerShell execution can be audited  Enable via GPO or registry  Process creation & termination auditing & cmdline  Don't allow access to PowerShell 2.0  Optional feature, launched via "powershell.exe –version 2.0"
  6. POWERSHELL REMOTING  Is fairly secure once enabled and doesn't

    allow non-admins to use  Allow non-admins via "Remote Management Users" local group (at destination, obviously)  Enable/configure/disable via winrm.exe or Enable-PSRemoting/Disable-PSRemoting (as admin!)  Get-PSSessionConfiguration returns what accounts have access  WinRM can be configured to use HTTPS
  7. JUST ENOUGH ADMINISTRATION (JEA)  Granular control of admin rights

    in PowerShell  Needs PowerShell 5.0 or later  New-PSRoleCapabilityFile  Configure file for your needs  New-PSSessionConfigurationFile  Configure file for your needs and test with Test-PSSessionConfigurationFile  Get-PSSessionCapability -ConfigurationName GuysJEADemo –Username  Tricky to setup!