powershell security best practices
DESCRIPTION
PowerShell Security best practices. Lee Holmes | @ Lee_Holmes Principal SDE |Windows PowerShell | Microsoft. Security geek Developer on the Windows PowerShell team since V1 Author of the Windows PowerShell Cookbook, PowerShellCookbook.com, and Windows PowerShell Pocket Reference - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/1.jpg)
POWERSHELL SECURITY BEST PRACTICESLee Holmes | @Lee_HolmesPrincipal SDE |Windows PowerShell | Microsoft
![Page 2: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/2.jpg)
ABOUT ME
Security geek Developer on the Windows PowerShell team since V1 Author of the Windows PowerShell Cookbook, PowerShellCookbook.com, and
Windows PowerShell Pocket Reference @Lee_Holmes & leeholmes.com/blog
![Page 3: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/3.jpg)
POWERSHELL THE SHELLOPERATIONAL SECURITY
What about Execution Policy? PowerShell Remoting Scripts Executables Dealing with Forensics
![Page 4: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/4.jpg)
POWERSHELL THE SHELLOPERATIONAL SECURITY – EXECUTION POLICY
![Page 5: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/5.jpg)
POWERSHELL THE SHELLOPERATIONAL SECURITY – EXECUTION POLICY
Not a user restrictionNot a magical form of Antimalware
![Page 6: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/6.jpg)
POWERSHELL THE SHELLOPERATIONAL SECURITY – POWERSHELL REMOTING
You Remoting Host Files
Understanding the Double-Hop problemAuthentication: Kerberos vs. CredSSP – Pass the Hash?Accessing Remote Resources
![Page 7: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/7.jpg)
POWERSHELL THE SHELLOPERATIONAL SECURITY – SCRIPTS EXECUTABLES
Moving to Post-Exploitation defense“I want to secure my system against C++ attacks”Making sense of holistic system lockdown
![Page 8: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/8.jpg)
POWERSHELL THE SHELLOPERATIONAL SECURITY – DEALING WITH FORENSICS
@HackingDave@ObscureSec / @Mattifestation
“Living off the Land”
@JosephBialek“Reflective DLL Injection”
![Page 9: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/9.jpg)
POWERSHELL THE SHELLOPERATIONAL SECURITY – DEALING WITH FORENSICS
Preventing unrestricted admin accessSystem-wide TranscriptsAutomatic Module loggingDetecting attacks on mitigations
![Page 10: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/10.jpg)
POWERSHELL THE LANGUAGESCRIPTING SECURITY
Script Encryption / Obfuscation Avoiding Code Injection Avoiding Hard-Coded Secrets
![Page 11: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/11.jpg)
POWERSHELL THE LANGUAGESCRIPTING SECURITY - SCRIPT ENCRYPTION / OBFUSCATION
![Page 12: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/12.jpg)
POWERSHELL THE LANGUAGESCRIPTING SECURITY - SCRIPT ENCRYPTION / OBFUSCATION
Answer: Don’t.
![Page 13: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/13.jpg)
POWERSHELL THE LANGUAGESCRIPTING SECURITY - PREVENTING CODE INJECTION
When dealing with dynamic commands or parameters, it’s common to fall back to old programming practices: system(), eval(), exec()
Maybe Invoke-Expression?
![Page 14: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/14.jpg)
POWERSHELL THE LANGUAGESCRIPTING SECURITY – AVOIDING CODE INJECTION
![Page 15: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/15.jpg)
POWERSHELL THE LANGUAGESCRIPTING SECURITY – AVOIDING CODE INJECTION
Parameters support variablesCommands support splattingInvocation supports indirection
![Page 16: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/16.jpg)
POWERSHELL THE LANGUAGESCRIPTING SECURITY – AVOIDING CODE INJECTION
But I REALLY need to!
![Page 17: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/17.jpg)
POWERSHELL THE LANGUAGESCRIPTING SECURITY – AVOIDING CODE INJECTION
But I REALLY need to!
![Page 18: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/18.jpg)
POWERSHELL THE LANGUAGESCRIPTING SECURITY - AVOIDING HARD-CODED SECRETS
Data protection through Windows’ Data Protection API (DPAPI)
![Page 19: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/19.jpg)
POWERSHELL THE LANGUAGESCRIPTING SECURITY - AVOIDING HARD-CODED SECRETS
Export / Import CliXmlConvertFrom / ConvertTo SecureString
![Page 20: PowerShell Security best practices](https://reader035.vdocuments.site/reader035/viewer/2022081417/56816374550346895dd450f9/html5/thumbnails/20.jpg)
RESOURCES Reflective DLL Loading with PowerShell:
http://www.youtube.com/watch?v=OAd68_SYQc8 Living off the Land:
http://www.youtube.com/watch?v=j-r6UonEkUw Get-Help about_Group_Policy_Settings
http://technet.microsoft.com/en-us/library/jj149004.aspx Constrained PowerShell Endpoints
http://www.youtube.com/watch?v=kmjJLKlL1Wg PowerShell Language Specification:
http://www.microsoft.com/en-us/download/details.aspx?id=36389 Composing Command Arguments:
http://www.powershellcookbook.com/recipe/XoMw/run-programs-scripts-and-existing-tools