Script Kiddies 4.0

Manipulating DLLs

The complete module is not always necessary; sometimes a single test is sufficient. For example, if you want to manipulate a DLL, the corresponding function is available online [2] as source code. The attack stored in this function is aimed at executing a DLL file in the process space of another process. A DLL is a collection of code or data that can be used by multiple applications (or other libraries and modules). Thus, any executable malware can be hidden in such a file. For a security test, first save the file and load it into the scope of the console by means of sourcing:

. .\invoke- DllInjection.ps1

The function with the same name is then available. Now you need malware in the form of a DLL file and a process, including the process ID:

> Start-Process c:\windows\system32\notepad.exe -WindowStyle Hidden; get-Process -Name notepad; Invoke-DllInjection -ProcessID 251 -Dll C:\temp\test.dll

Forensic Analysis After Attacks

If a system – or the entire network of a company – has been compromised, the cause of the attack and the underlying vulnerability must be identified. PowerShell is supported by the PowerForensics module [3], which helps security officers and administrators analyze digital media and computer systems.

The PowerForensics module is divided into the following sections:

• Hard drive tools: Accessing the master boot sector and analyzing the partition table
• Filesystem (FAT, NTFS)
• Windows registry
• Traces of users in the operating system

The search for artifacts in the operating system is the central feature in the tool. For example, you can use the Get-ForensicWindowsSearchHistory cmdlet to find and process entries in the Windows search. The return type is a separate object with User and Searchstring interfaces. Both can be filtered using wildcards and regular expressions. The Get-ForensicTypedUrl cmdlet lets you access the browser.

In general, the PowerForensics module suffers a little from poor performance. When it comes to PowerShell modules, the value for the user is also highly dependent on the documentation. With no comment-based help for the exported functions, using them is unnecessarily difficult.

Conclusions

PowerShell modules provide a flexible way to provision functionality temporarily. When the console is closed, all extensions not loaded by profiles disappear from memory. Because actions and scripts can also remain on storage media without consequences, the "penetration tests" are very realistic. Problems in the security architecture, including non-configured remote maintenance, are then easily detected.