Security with PowerShell 5

Defense Against the Dark Arts

Perform Vulnerability Tests

Some PowerShell modules are available on GitHub for additional security and monitoring features. PowerSploit, a collection of PowerShell modules, is available for penetration tests and as a vulnerability scanner. In the case of a local installation using install modules, the virus scanner can be triggered under certain circumstances.

Why should you as an administrator use scripts like these? The combination of moderate exploits, logging, and security settings lets you find the optimal balance between functionality and security. The primary areas of application are therefore simulated attacks on remote computers. The Invoke_ShellCode function will inject executable instructions in the context of running applications. The host process can be selected by the process ID. You can easily implement the assignment of processes and process IDs with the PowerShell command:

> Get-Process | Select-Object -Property name, ID

PowerSploit expects a list of bytes in the form 0xXX,0xXX,0xXX,0xXX. To generate the correct format, the Backtrack tools collection [2] is helpful. The command

> msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2-

would format the parameter value for -ShellCode correctly in the example here. When passed to -ShellCode without specifying a process ID, Invoke-ShellCode starts the machine in the current PowerShell's process space.

Network shares that are not inventoried, whose authorization structure is obsolete, and that refer to users who are no longer with the company are always a security problem.

Therefore, Documenting existing network shares is an essential first step toward cleaning up the current structure and for launching a new strategy. PowerSploit's Invoke-ShareFinder function is very helpful if you have your sights set on this objective. Invoke-ShareFinder searches the local domain for a host with Get-NetDomain and queries the domain for all active computers with Get-NetComputer. Each server lists active network shares with Get-NetShare.

Invoke-Mimikatz is another PowerSploit function that lets you extract plain text credentials from memory, password hashes from local SAM/NTDS.dit databases, advanced Kerberos features, and more. The Mimikatz codebase is available online [3]. The codebase used in PowerSploit is slightly modified and only works in memory. Traces are not left behind on the hard disk.

Conclusions

PowerShell 5 opens up new attack vectors for breaking into corporate networks. The scripting language usually flies under the radar of anti-malware solutions, yet it is extremely powerful. Despite this, PowerShell also offers new security features for IT infrastructure management.

By employing all the techniques discussed here, an optimal PowerShell environment can be achieved. In particular, JEA impresses by fine tuning the PowerShell access options, making it indispensable given the importance of Windows Remote Management and remote server maintenance or cloud service management.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus