« Previous 1 2
Security with PowerShell 5
Defense Against the Dark Arts
Perform Vulnerability Tests
Some PowerShell modules are available on GitHub for additional security and monitoring features. PowerSploit, a collection of PowerShell modules, is available for penetration tests and as a vulnerability scanner. In the case of a local installation using install modules, the virus scanner can be triggered under certain circumstances.
Why should you as an administrator use scripts like these? The combination of moderate exploits, logging, and security settings lets you find the optimal balance between functionality and security. The primary areas of application are therefore simulated attacks on remote computers. The Invoke_ShellCode
function will inject executable instructions in the context of running applications. The host process can be selected by the process ID. You can easily implement the assignment of processes and process IDs with the PowerShell command:
> Get-Process | Select-Object -Property name, ID
PowerSploit expects a list of bytes in the form 0xXX,0xXX,0xXX,0xXX
. To generate the correct format, the Backtrack tools collection [2] is helpful. The command
> msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2-
would format the parameter value for -ShellCode
correctly in the example here. When passed to -ShellCode
without specifying a process ID, Invoke-ShellCode
starts the machine in the current PowerShell's process space.
Network shares that are not inventoried, whose authorization structure is obsolete, and that refer to users who are no longer with the company are always a security problem.
Therefore, Documenting existing network shares is an essential first step toward cleaning up the current structure and for launching a new strategy. PowerSploit's Invoke-ShareFinder
function is very helpful if you have your sights set on this objective. Invoke-ShareFinder
searches the local domain for a host with Get-NetDomain
and queries the domain for all active computers with Get-NetComputer
. Each server lists active network shares with Get-NetShare
.
Invoke-Mimikatz
is another PowerSploit function that lets you extract plain text credentials from memory, password hashes from local SAM/NTDS.dit databases, advanced Kerberos features, and more. The Mimikatz codebase is available online [3]. The codebase used in PowerSploit is slightly modified and only works in memory. Traces are not left behind on the hard disk.
Conclusions
PowerShell 5 opens up new attack vectors for breaking into corporate networks. The scripting language usually flies under the radar of anti-malware solutions, yet it is extremely powerful. Despite this, PowerShell also offers new security features for IT infrastructure management.
By employing all the techniques discussed here, an optimal PowerShell environment can be achieved. In particular, JEA impresses by fine tuning the PowerShell access options, making it indispensable given the importance of Windows Remote Management and remote server maintenance or cloud service management.
Infos
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.