« Previous 1 2
PowerShell add-on security modules
Script Kiddies 4.0
Manipulating DLLs
The complete module is not always necessary; sometimes a single test is sufficient. For example, if you want to manipulate a DLL, the corresponding function is available online [2] as source code. The attack stored in this function is aimed at executing a DLL file in the process space of another process. A DLL is a collection of code or data that can be used by multiple applications (or other libraries and modules). Thus, any executable malware can be hidden in such a file. For a security test, first save the file and load it into the scope of the console by means of sourcing:
. .\invoke- DllInjection.ps1
The function with the same name is then available. Now you need malware in the form of a DLL file and a process, including the process ID:
> Start-Process c:\windows\system32\notepad.exe -WindowStyle Hidden; get-Process -Name notepad; Invoke-DllInjection -ProcessID 251 -Dll C:\temp\test.dll
Forensic Analysis After Attacks
If a system – or the entire network of a company – has been compromised, the cause of the attack and the underlying vulnerability must be identified. PowerShell is supported by the PowerForensics module [3], which helps security officers and administrators analyze digital media and computer systems.
The PowerForensics module is divided into the following sections:
- Hard drive tools: Accessing the master boot sector and analyzing the partition table
- Filesystem (FAT, NTFS)
- Windows registry
- Traces of users in the operating system
The search for artifacts in the operating system is the central feature in the tool. For example, you can use the Get-ForensicWindowsSearchHistory
cmdlet to find and process entries in the Windows search. The return type is a separate object with User
and Searchstring
interfaces. Both can be filtered using wildcards and regular expressions. The Get-ForensicTypedUrl
cmdlet lets you access the browser.
In general, the PowerForensics module suffers a little from poor performance. When it comes to PowerShell modules, the value for the user is also highly dependent on the documentation. With no comment-based help for the exported functions, using them is unnecessarily difficult.
Conclusions
PowerShell modules provide a flexible way to provision functionality temporarily. When the console is closed, all extensions not loaded by profiles disappear from memory. Because actions and scripts can also remain on storage media without consequences, the "penetration tests" are very realistic. Problems in the security architecture, including non-configured remote maintenance, are then easily detected.
Infos
- PowerSploit: https://powersploit.readthedocs.io/en/latest/
- DDL manipulation: https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1
- PowerForensics module: https://github.com/Invoke-IR/PowerForensics
« Previous 1 2
Buy this article as PDF
(incl. VAT)