Presentation is loading. Please wait.

Presentation is loading. Please wait.

POWERSHELL SECURITY BEST PRACTICES Lee Holmes Principal SDE |Windows PowerShell | Microsoft.

Similar presentations


Presentation on theme: "POWERSHELL SECURITY BEST PRACTICES Lee Holmes Principal SDE |Windows PowerShell | Microsoft."— Presentation transcript:

1 POWERSHELL SECURITY BEST PRACTICES Lee Holmes | @Lee_Holmes Principal SDE |Windows PowerShell | Microsoft

2 ABOUT ME  Security geek  Developer on the Windows PowerShell team since V1  Author of the Windows PowerShell Cookbook, PowerShellCookbook.com, and Windows PowerShell Pocket Reference  @Lee_Holmes & leeholmes.com/blog

3 POWERSHELL THE SHELL OPERATIONAL SECURITY  What about Execution Policy?  PowerShell Remoting  Scripts  Executables  Dealing with Forensics

4 POWERSHELL THE SHELL OPERATIONAL SECURITY – EXECUTION POLICY

5 Not a user restriction Not a magical form of Antimalware

6 POWERSHELL THE SHELL OPERATIONAL SECURITY – POWERSHELL REMOTING You Remoting Host Files Understanding the Double-Hop problem Authentication: Kerberos vs. CredSSP – Pass the Hash? Accessing Remote Resources

7 POWERSHELL THE SHELL OPERATIONAL SECURITY – SCRIPTS  EXECUTABLES Moving to Post-Exploitation defense “I want to secure my system against C++ attacks” Making sense of holistic system lockdown

8 POWERSHELL THE SHELL OPERATIONAL SECURITY – DEALING WITH FORENSICS @HackingDave @ObscureSec / @Mattifestation “Living off the Land” @JosephBialek “Reflective DLL Injection”

9 POWERSHELL THE SHELL OPERATIONAL SECURITY – DEALING WITH FORENSICS Preventing unrestricted admin access System-wide Transcripts Automatic Module logging Detecting attacks on mitigations

10 POWERSHELL THE LANGUAGE SCRIPTING SECURITY  Script Encryption / Obfuscation  Avoiding Code Injection  Avoiding Hard-Coded Secrets

11 POWERSHELL THE LANGUAGE SCRIPTING SECURITY - SCRIPT ENCRYPTION / OBFUSCATION

12 Answer: Don’t.

13 POWERSHELL THE LANGUAGE SCRIPTING SECURITY - PREVENTING CODE INJECTION When dealing with dynamic commands or parameters, it’s common to fall back to old programming practices: system(), eval(), exec() Maybe Invoke-Expression?

14 POWERSHELL THE LANGUAGE SCRIPTING SECURITY – AVOIDING CODE INJECTION

15 Parameters support variables Commands support splatting Invocation supports indirection

16 POWERSHELL THE LANGUAGE SCRIPTING SECURITY – AVOIDING CODE INJECTION But I REALLY need to!

17 POWERSHELL THE LANGUAGE SCRIPTING SECURITY – AVOIDING CODE INJECTION But I REALLY need to!

18 POWERSHELL THE LANGUAGE SCRIPTING SECURITY - AVOIDING HARD-CODED SECRETS Data protection through Windows’ Data Protection API (DPAPI)

19 POWERSHELL THE LANGUAGE SCRIPTING SECURITY - AVOIDING HARD-CODED SECRETS Export / Import CliXml ConvertFrom / ConvertTo SecureString

20 RESOURCES  Reflective DLL Loading with PowerShell: http://www.youtube.com/watch?v=OAd68_SYQc8 http://www.youtube.com/watch?v=OAd68_SYQc8  Living off the Land: http://www.youtube.com/watch?v=j-r6UonEkUw http://www.youtube.com/watch?v=j-r6UonEkUw  Get-Help about_Group_Policy_Settings http://technet.microsoft.com/en-us/library/jj149004.aspx http://technet.microsoft.com/en-us/library/jj149004.aspx  Constrained PowerShell Endpoints http://www.youtube.com/watch?v=kmjJLKlL1Wg http://www.youtube.com/watch?v=kmjJLKlL1Wg  PowerShell Language Specification: http://www.microsoft.com/en-us/download/details.aspx?id=36389 http://www.microsoft.com/en-us/download/details.aspx?id=36389  Composing Command Arguments: http://www.powershellcookbook.com/recipe/XoMw/run-programs-scripts-and-existing- tools http://www.powershellcookbook.com/recipe/XoMw/run-programs-scripts-and-existing- tools


Download ppt "POWERSHELL SECURITY BEST PRACTICES Lee Holmes Principal SDE |Windows PowerShell | Microsoft."

Similar presentations


Ads by Google