ops 201 reading 07 - ElodieReb/reading-notes GitHub Wiki

Reading Notes for Class 07, Self-Paced Ops 201

Objective

Today's readings are relevant to what we are studying in class as it introduces us to PowerShell, a programming language that systems administrators and hackers are using today.

Reading Comprehension (1)

Title = Should You Learn Powershell?

  • Powershell is a command-line shell interface made by Microsoft that enables system administrators and power users to manage computers from the command line. It is also a scripting language that can be used for automating administrative tasks and configuration management.
  • Contrary to most programming languages that create something, PowerShell is an interpreted language for doing things, typically in the context of managing a technology environment.
  • The programming languages that create something are typically used by Developers, while PowerShell is typically leveraged by System Administrators, Network Administrators, Systems Engineers, Cloud Architects, Systems Architects, etc.
  • Depending on the system, either bash or PowerShell will be used. Bash is the shell primarily used in Linux while PowerShell remains the de-facto standard for Windows. Powershell pipes objects, passing along the output of one cmdlet as the input for another one. This means PowerShell pushes around structured data, whereas Bash pushes around globs of text.
  • The advantage of strings is that the information is easy to pass around everywhere, however, a disadvantage is that bash requires a lot of string manipulation and parsing to get the information you're after. And although PowerShell allows you to move complex data with very little effort, these objects are not always universal and are not as readily made accessible outside of PowerShell.
  • Powershell is supported on nearly every major platform today.
  • Top (5) reasons why you should learn PowerShell: Automation, Accuracy, Versatility, Community, Relevant

Reading Comprehension (2)

Title = Who needs malware?

  • With local malware infections, the attacker first needs to get the ability to run malicious commands, then directs the infected Windows machine to download, save, and execute a trojan payload. Hackers today, however, do not need the second step. Instead, the attack runs entirely "in memory" using PowerShell.
  • PowerShell can forego the file system and inject malicious code directly into memory, thus enhancing obfuscation, and often evading security controls designed to detect malware deployments.
  • Misconfiguration incident = instance where databases and storage buckets were left exposed to the public-facing internet
  • Social engineering attacks remain as effective as ever

Reading Comprehension (3)

Title = What is a PowerShell attack? (video)

  • "Living off the land" tactics = attackers take advantage of common tools within your network
  • They use software, applications, cloud services, or authorized protocols that you trust to conduct malicious behavior. These attacks often blend in with normal system administration work - allowing attacks to occur in plain sight.

Things I'd like to know more about

  • How do the hackers gain access to someone else's PowerShell?