Windows Powershell - PimmyTrousers/Cooking-Recipes GitHub Wiki

Powershell

Overview

  • Used for local and remote administration
  • Uses specialized .net classes implementing a particular operation
    • These access windows registry/file system to perform actions
    • Also an API to run powershell embedded in other applications
  • Open source and cross platform
  • In every Windows since XP and Server 2003

Flaws

  • Can put powerscript files on a hard drive, and these will run in memory and can download other code that will also run exclusively in memory
  • Most organizations do not watch powershell activity and many security products don’t watch powershell activity so it is commonly used for infection
  • Powersploit shows vulnerabilities in Powershell, shows that hacker could have the ability to
    • Bypass antivirus
    • Record from microphone
    • Get user’s password
    • Get memory minidump
    • Record keystrokes
  • Powerview, similar to Powersploit, shows that hackers can access details about the computer hackers have infected and the network they’ve gotten into
  • Mimikatz, like Powerview, allows hackers to run mimikatz in powershell (a software that allows a hacker to extract plain text passwords and kerberos tickets from memory)

Securing

  • (mostly taken from here)
  • Disables powershell script execution
    • HKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Windows\PowerShell
    • "EnableScripts"=dword:00000000
    • Can stop known Powershell bypasses
  • Restricts powershell to constrained language mode, which means that it is locked down to just the core elements, which means it restricts access to language elements that can be used to invoke arbitrary Windows APIs
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
    • "__PSLockDownPolicy"="4"
  • Use default deny software restriction policies with enforcement setting “all software files”
    • Add PowerShell to “designated file types” list
      • Can disable script execution
      • Can still be executed with commands with sponsors (PowerShell.exe)
    • When SRP Default Security Level is set to Disallowed or Basic user is applied, then Powershell is in constrained language mode (so another way to set Powershell in constrained language mode if you don’t want to edit the registry)
  • Block *.ps1 and other script types by default in User Space
  • Run Powershell.exe with restricted privileges
  • Block loading of *.dlls from User Space
  • Block launch of *.exe from User Space
  • Disable macros
  • Whitelist only scripts that have been audited (or in our case, nothing)
  • Can also add to disallowed list and block it from internet access
  • Weird way to break powershell; if you change your locale to a non-Roman character set (like hebrew) powershell can’t get a path and stops working. This breaks powershell scripts

Voodooshield

  • Easy to install (and free)
  • Takes snapshots and monitors your computer for programs that it deems are risky
    • It has a sliding scale of the riskiness it thinks of a program
  • It by default blocks some Powershell operations that it deems risky (and are risky)
  • I’ve tested it for a day so far, very useful, will update as the week goes on of how effective it is

Active Directory

  • (mostly taken from here)
  • Quick and not very useful trick, but disable the guest group and rename the administrator group to slow attackers down a bit
    • This is common advice so it’s not going to surprise the red team but it’ll still slow them down a bit
  • Configure security settings using group policy
  • Make sure update KB2962486 is installed on every computer
  • Delete existing GPP xml files in SYSVOL containing passwords
  • Make sure DCPromo process includes a patch QA step before running DCPromo that checks for installation of KB3011780 (or use command get-hotfix 3011780)
  • Have a process that makes sure patches are automatically applied
  • Try to use passwords with 25+ characters
  • Change group policy to prevent local admin accounts from authenticating over the network
    • Use settings
    • “Deny access to this computer from the network: local account, Enterprise Admins, Domain Admins”
    • “Deny log on through Remote Desktop Services: local account, Enterprise Admins, Domain Admins”
    • “Deny log on locally: Enterprise Admins, Domain Admins”
  • Limit groups that have rights to logon to Domain Controllers
  • Limit groups with full Active Directory rights
  • Change the DSRM password on domain controllers from the default
  • Get rid of LM (LAN Manager) password hashes
    • Change policy to “Do Not Store LAN Manager Hash Value on Next Password Change”
    • Also enable “Send NTLM v2 response only, refuse LM and NTLM”