SECURING POWERSHELL GUY LEECH (@GUYRLEECH) TECH UG, DECEMBER 2020 

WHAT IS THE THREAT FROM POWERSHELL  Is it any worse than vbs or VBA?  PowerShell "advanced" features  Platform Invoke (P/Invoke) – can run any .NET or Windows API  Web/REST requests  Registry provider (amongst others)  WMI/CIM (but can also get/manipulate through wmic.exe & wbemtest.exe)  Remoting  Still only going to run with privileges of the invoking user (unless a vulnerability is exploited) 

DO YOU NEED TO ALLOW POWERSHELL  If not all use Image File Execution Options to simply block PowerShell for all users (Debugger = svchost.exe)  Will a custom ACL on powershell.exe suffice?  Have to change ownership from TrustedInstaller which increases attack surface  Beware of copies of PowerShell.exe  Replace powershell.exe with a custom exe  Do not forget powershell_ise.exe and syswow64 (32 bit)  File Type Associations "Run with PowerShell" – knock out in registry  AppLocker, Device Guard or third party products like Ivanti Application Control (was AppSense Application Manager) 

GPOS ARE NOT ENOUGH  Unlike for cmd.exe, regedit.exe & taskmgr.exe there is no GPO to stop PowerShell.exe "launching"  What doesn't stop the determined (& don't think "my users aren't that smart")  Disable run (Office macros can do anything (except solve global warming))  Hide C: drive  Execution policies  Weak, especially if you are an admin or have access to internet search engines 

POWERSHELL CONSTRAINED LANGUAGE MODE  Restricts the features to "core" (effectively excludes using .NET)  Enabled via system environment variable __PSLockDownPolicy  So applies to all users  In reality, breaks a lot of scripts 

AUDITING POWERSHELL  Always assume you will be compromised/attacked/hacked  PowerShell execution can be audited  Enable via GPO or registry  Process creation & termination auditing & cmdline  Don't allow access to PowerShell 2.0  Optional feature, launched via "powershell.exe –version 2.0" 

POWERSHELL REMOTING  Is fairly secure once enabled and doesn't allow non-admins to use  Allow non-admins via "Remote Management Users" local group (at destination, obviously)  Enable/configure/disable via winrm.exe or Enable-PSRemoting/Disable-PSRemoting (as admin!)  Get-PSSessionConfiguration returns what accounts have access  WinRM can be configured to use HTTPS 

JUST ENOUGH ADMINISTRATION (JEA)  Granular control of admin rights in PowerShell  Needs PowerShell 5.0 or later  New-PSRoleCapabilityFile  Configure file for your needs  New-PSSessionConfigurationFile  Configure file for your needs and test with Test-PSSessionConfigurationFile  Get-PSSessionCapability -ConfigurationName GuysJEADemo –Username  Tricky to setup! 

RESOURCES  https://www.digitalshadows.com/blog-and-research/powershell-security-best-practices/  https://bestestredteam.com/2019/01/27/powershell-execution-policy-bypass/  https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html  https://lp.scriptrunner.com/en/powershell-security-guide  https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_language_modes  https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/overview