SlideShare ist ein Scribd-Unternehmen logo

An Introduction to PowerShell for Security Assessments

E
EnclaveSecurity

This document introduces PowerShell as a tool for security assessments. It notes that bringing outside tools to a system can cause issues, but using native operating system tools avoids these problems. PowerShell is presented as a potential solution as it is available natively on Windows systems and allows accessing operating system objects without downloading software. The document then provides an overview of PowerShell and its capabilities before presenting a case study of how to use PowerShell to assess a Microsoft Active Directory Certificate Services server.

Technologie
1 von 32
An Introduction to PowerShell for Security Assessments James Tarala, Enclave Security
Problem Statement • During a security assessment, bringing tools to a system can be problematic • Potential issues include: – Network transfers – Anti-malware software – Whitelisting software – Business owner nerves An Introduction to PowerShell for Security Assessments © Enclave Security 2013
“Living off the Land” • Ideally a penetration tester or auditor would be able to “live off the land” • In other words: Only use native operating system tools to perform a security assessment • Removes the need to download or transfer software • Lowers the likelihood of being blocked by AV or whitelisting software An Introduction to PowerShell for Security Assessments © Enclave Security 2013
Potential Solution: PowerShell • Potential solution = Microsoft Windows PowerShell • Available for Microsoft Windows XP / Server 2003 and later Microsoft Windows operating systems • Security assessors will still need the rights & permissions to do their assessment • However some common pitfalls can be avoided using PowerShell An Introduction to PowerShell for Security Assessments © Enclave Security 2013
What is PowerShell? • A scripting language targeted at system administrators • A command line mechanism for performing tasks normally reserved for GUIs • An object oriented approach to command line administration (rather than text based) • A gateway into all Microsoft Windows operating system objects (file system, registry, AD, WMI, etc) • A command line gateway into .NET programming An Introduction to PowerShell for Security Assessments © Enclave Security 2013
PowerShell vs Unix Shells PowerShell • Object oriented • Consistent cmdlets naming conventions • Available for most Windows services • Requires code signing • Native command remoting • Consistent across all Windows systems Unix Shells • Text oriented • Inconsistent binary naming conventions • Unique service binaries required per Unix service • Does not require code signing • SSH required for remote code • Multiple shells, inconsistent syntax between systems An Introduction to PowerShell for Security Assessments © Enclave Security 2013
PowerShell Objects vs Text Strings • Text is text – does not utilize properties or methods • PowerShell objects all have properties & methods • Consider a Refrigerator as a sample object • Sample Attributes: – Refrigerator.Color – Refrigerator.Temperature • Sample Methods: – Refrigerator.On() – Refrigerator.MakeIce() An Introduction to PowerShell for Security Assessments © Enclave Security 2013
Cmdlets, Aliases, & Applications • PowerShell primarily utilizes cmdlets, aliases, & binary applications to function • Cmdlets: – Native command line tools with built in functions – Example: get-childitem, get-help • Aliases: – Shortcuts or pointers to cmdlets, applications, or scripts – Example: dir, ls • Applications: – Binaries files with defined functionality – Example: netsh An Introduction to PowerShell for Security Assessments © Enclave Security 2013
Sample PowerShell Cmdlets • Get-Command • Get-Help • Get-Member • Get-Content • Where-Object • Select-Object • Format-List • Fomat-Table • Get-ACL • Get-Process • Get-ChildItem • ConvertTo-CSV • ConvertTo-HTML • Import-certificate • Export-certificate • Stop-service • Start-service • Add-pssnapin An Introduction to PowerShell for Security Assessments © Enclave Security 2013
Sample PowerShell Modules • Active Directory • AD Certificate Services • Group Policy • Microsoft Exchange • Office 365 • Remote Desktop Services • SharePoint • SQL Server • System Center Configuration Manager • VMWare vSphere • Windows Azure • AD Replication • DnsShell • File System Security • FTP Client • Local User Management Module • PowerShell EventLogWatcher • Remote Registry • SCSM PowerShell Cmdlets • SQL Server PowerShell Extensions • Terminal Services • Windows Automation Snap-In • Windows Update An Introduction to PowerShell for Security Assessments © Enclave Security 2013
Functions & Scripts • If PowerShell does not include the functionality that you need, you can also extend it • Functions & Scripts: – Repeatable code within a PowerShell environment – Both follow the same philosophical idea of extending native functionality – Scripts utilize *.PS1 files to repeat functionality – Reminder: Set-ExecutionPolicy RemoteSigned An Introduction to PowerShell for Security Assessments © Enclave Security 2013
Accessing .NET Objects • PowerShell can also even utilize .NET libraries • Anything .NET can do, PowerShell can also • There is a fuzzy line between PowerShell & VB.NET • Both of the following commands are the same: – [datetime]::now – Get-Date An Introduction to PowerShell for Security Assessments © Enclave Security 2013
Case Study: Microsoft ADCS • Imagine you are responsible for assessing a Microsoft Active Directory Certificate Services (ADCS) server • What would you do to assess the system? • What steps could you follow to automate the process? • The following is a step by step approach you might consider taking to assess the system An Introduction to PowerShell for Security Assessments © Enclave Security 2013
Step #1: Governance & Architecture • To start any security assessment it is worth considering operational & governance controls • Sample questions to consider: – Have required functionality requirements been defined? – Do policies, procedures, & standards exist for the system? – Has an architecture been defined for the PKI hierarchy that matches the business needs? – Do proper operational controls exist to protect private keys (such as utilizing an HSM)? – Is redundancy built into the PKI architecture? An Introduction to PowerShell for Security Assessments © Enclave Security 2013
Step #2: Native Windows Cmdlets • The security of a service is dependent on the security of the underlying operating system • If the OS is not secure, services can never be secured • Therefore start an assessment with native Windows cmdlets & interrogate the host OS • For example: – Running services & software – Installed system patches – Local user accounts & groups – File system & registry permissions An Introduction to PowerShell for Security Assessments © Enclave Security 2013
Native Windows Cmdlet (Sample) An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Get-WMIObject Win32_userAccount | Select-Object Name,SID List all user accounts on the PKI Server:
Native Windows Cmdlet (Sample) An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Get-acl c:windowssystem32certlog | fl Retrieve NTFS permissions from directory:
Step #3: Registry Settings • Many service configuration settings are located in the Windows Registry • If you look in the registry you can quickly learn the configuration of the service without a GUI • PowerShell has the ability to query both entire registry hives and individual registry keys An Introduction to PowerShell for Security Assessments © Enclave Security 2013
ADCS Registry Settings An Introduction to PowerShell for Security Assessments © Enclave Security 2013 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvc HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftSystemCertificatesRootProtectedRoots
Querying the Registry (Sample) An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Get-ChildItem "hklm:SYSTEMCurrentControlSetServicesCertSvcConfiguration"
Querying the Registry (Sample) An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Get-ItemProperty "hklm:SYSTEMCurrentControlSetServicesCertSvcConfigurationGet-ChildItem" Get-ItemProperty "hklm:SYSTEMCurrentControlSetServicesCertSvcConfigurationGet-ChildItem“ | Select-Object DBLogDirectory
Step #4: Service Specific Cmdlets • Microsoft has committed that each of their product teams will make their services 100% configurable via PowerShell cmdlets • The beta test for this program was Exchange 2007 • Most all services now have service specific cmdlets • These extend the standard functionality of PowerShell on that system • Sample cmdlets: – Import-Module ActiveDirectory – Get-Module -ListAvailable An Introduction to PowerShell for Security Assessments © Enclave Security 2013
Service Specific Cmdlets (Sample) An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Query information about CRL Distribution Points (CDPs) Get-CACrlDistributionPoint
An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Query information about available Certificate Templates Get-CATemplate
Step #5: Querying Config Files • During an assessment you may also need to query configuration files for specific services • Often times XML or CONFIG files are used to store configuration date instead of the registry • Third party application developers especially like to store configurations this way • To view the content of any file use: – Get-content An Introduction to PowerShell for Security Assessments © Enclave Security 2013
Querying Config Files (Sample) An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Microsoft IIS Web Server Configuration Files for the Certsrv Website
Querying Config Files (Sample) An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Microsoft IIS Web Server Configuration Files for the Certsrv Website get-content C:WindowsSystem32inetsrvconfigapplicationhost.config
Step #6: Native Windows Binaries • Microsoft also makes available application binaries for managing specific services • Prior to PowerShell, binaries were the only method for querying information about a system from the command line • If a service specific cmdlets does not meet your needs, possibly a binary will • For example: – DNSCMD.EXE – CERTUTIL.EXE An Introduction to PowerShell for Security Assessments © Enclave Security 2013
Native Windows Binaries (Sample) An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Dump verbose properties from Certificate Templates Certutil –v -template
Step #7: Reporting • Once you have gathered all your data, the next step is to report your findings • Microsoft aprovides a number of cmdlets that can be useful for reporting • Reporting cmdlets include: – ConvertTo-CSV – ConvertTo-HTML – ConvertTo-XML – Export-CSV An Introduction to PowerShell for Security Assessments © Enclave Security 2013
Next Steps • If you find yourself regularly assessing Microsoft Windows based systems – learn PowerShell 1. Learn the foundations of PowerShell scripting 2. Learn the basic built-in cmdlets Windows provides 3. Learn about additional modules that can be added to a standard Windows environment 4. Write scripts to automate common assessment tasks 5. Experiment with output & reporting in PowerShell 6. Share your scripts with the community An Introduction to PowerShell for Security Assessments © Enclave Security 2013
Further Questions • James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit – Website: http://www.auditscripts.com • Resources for further study: – SANS SEC 505: Securing Windows & Resisting Malware – Windows PowerShell in Action by Bruce Payette – PowerShell and WMI by Richard Siddaway An Introduction to PowerShell for Security Assessments © Enclave Security 2013

Empfohlen

Enterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnclaveSecurity
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsScott Sutherland
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 

Empfohlen

Enterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnclaveSecurity
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsScott Sutherland
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossNikhil Mittal
 
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...VMworld
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINALMartin Evans
 
05 security automationwithansible
05 security automationwithansible05 security automationwithansible
05 security automationwithansibleKhairul Zebua
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
KACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting OverviewKACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting OverviewDell World
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsSam Bowne
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsAmazon Web Services
 
Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Mary Joy Sabal
 

Weitere ähnliche Inhalte

Was ist angesagt?

Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossNikhil Mittal
 
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...VMworld
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINALMartin Evans
 
05 security automationwithansible
05 security automationwithansible05 security automationwithansible
05 security automationwithansibleKhairul Zebua
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
KACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting OverviewKACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting OverviewDell World
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsSam Bowne
 

Was ist angesagt? (20)

Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
 
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOV
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINAL
 
05 security automationwithansible
05 security automationwithansible05 security automationwithansible
05 security automationwithansible
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
KACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting OverviewKACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting Overview
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End Components
 

Ähnlich wie An Introduction to PowerShell for Security Assessments

Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsAmazon Web Services
 
Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Mary Joy Sabal
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementDefconRussia
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Amazon Web Services
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScaleAmazon Web Services
 
Configuration Management in the Cloud | AWS Public Sector Summit 2017
Configuration Management in the Cloud | AWS Public Sector Summit 2017Configuration Management in the Cloud | AWS Public Sector Summit 2017
Configuration Management in the Cloud | AWS Public Sector Summit 2017Amazon Web Services
 
Continuous Integration for OpenVMS with Jenkins
Continuous Integration for OpenVMS with JenkinsContinuous Integration for OpenVMS with Jenkins
Continuous Integration for OpenVMS with Jenkinsecubemarketing
 
Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...
Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...
Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...Amazon Web Services
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Integration Testing as Validation and Monitoring
Integration Testing as Validation and Monitoring Integration Testing as Validation and Monitoring
Integration Testing as Validation and MonitoringMelissa Benua
 
AWS_Community_Day_2023-Chathra Serasinghe.pptx
AWS_Community_Day_2023-Chathra Serasinghe.pptxAWS_Community_Day_2023-Chathra Serasinghe.pptx
AWS_Community_Day_2023-Chathra Serasinghe.pptxChathraSerasinghe2
 
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...Amazon Web Services
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24
 

Ähnlich wie An Introduction to PowerShell for Security Assessments (20)

Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
 
Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implement
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
 
Configuration Management in the Cloud | AWS Public Sector Summit 2017
Configuration Management in the Cloud | AWS Public Sector Summit 2017Configuration Management in the Cloud | AWS Public Sector Summit 2017
Configuration Management in the Cloud | AWS Public Sector Summit 2017
 
Devops architecture
Devops architectureDevops architecture
Devops architecture
 
WAF in Scale
WAF in ScaleWAF in Scale
WAF in Scale
 
Continuous Integration for OpenVMS with Jenkins
Continuous Integration for OpenVMS with JenkinsContinuous Integration for OpenVMS with Jenkins
Continuous Integration for OpenVMS with Jenkins
 
Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...
Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...
Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
Integration Testing as Validation and Monitoring
Integration Testing as Validation and Monitoring Integration Testing as Validation and Monitoring
Integration Testing as Validation and Monitoring
 
TRUSTSeminar.ppt
TRUSTSeminar.pptTRUSTSeminar.ppt
TRUSTSeminar.ppt
 
AWS_Community_Day_2023-Chathra Serasinghe.pptx
AWS_Community_Day_2023-Chathra Serasinghe.pptxAWS_Community_Day_2023-Chathra Serasinghe.pptx
AWS_Community_Day_2023-Chathra Serasinghe.pptx
 
Past, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructurePast, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps Infrastructure
 
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
 
Chapter08
Chapter08Chapter08
Chapter08
 

Mehr von EnclaveSecurity

Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseEnclaveSecurity
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Governance fail security fail
Governance fail security failGovernance fail security fail
Governance fail security failEnclaveSecurity
 
The intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionThe intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionEnclaveSecurity
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usualEnclaveSecurity
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewallsEnclaveSecurity
 

Mehr von EnclaveSecurity (14)

Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized Defense
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for Defense
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
Governance fail security fail
Governance fail security failGovernance fail security fail
Governance fail security fail
 
The intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionThe intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protection
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controls
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controls
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usual
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
 

Kürzlich hochgeladen

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Kürzlich hochgeladen (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

An Introduction to PowerShell for Security Assessments

  • 1. An Introduction to PowerShell for Security Assessments James Tarala, Enclave Security
  • 2. Problem Statement • During a security assessment, bringing tools to a system can be problematic • Potential issues include: – Network transfers – Anti-malware software – Whitelisting software – Business owner nerves An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 3. “Living off the Land” • Ideally a penetration tester or auditor would be able to “live off the land” • In other words: Only use native operating system tools to perform a security assessment • Removes the need to download or transfer software • Lowers the likelihood of being blocked by AV or whitelisting software An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 4. Potential Solution: PowerShell • Potential solution = Microsoft Windows PowerShell • Available for Microsoft Windows XP / Server 2003 and later Microsoft Windows operating systems • Security assessors will still need the rights & permissions to do their assessment • However some common pitfalls can be avoided using PowerShell An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 5. What is PowerShell? • A scripting language targeted at system administrators • A command line mechanism for performing tasks normally reserved for GUIs • An object oriented approach to command line administration (rather than text based) • A gateway into all Microsoft Windows operating system objects (file system, registry, AD, WMI, etc) • A command line gateway into .NET programming An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 6. PowerShell vs Unix Shells PowerShell • Object oriented • Consistent cmdlets naming conventions • Available for most Windows services • Requires code signing • Native command remoting • Consistent across all Windows systems Unix Shells • Text oriented • Inconsistent binary naming conventions • Unique service binaries required per Unix service • Does not require code signing • SSH required for remote code • Multiple shells, inconsistent syntax between systems An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 7. PowerShell Objects vs Text Strings • Text is text – does not utilize properties or methods • PowerShell objects all have properties & methods • Consider a Refrigerator as a sample object • Sample Attributes: – Refrigerator.Color – Refrigerator.Temperature • Sample Methods: – Refrigerator.On() – Refrigerator.MakeIce() An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 8. Cmdlets, Aliases, & Applications • PowerShell primarily utilizes cmdlets, aliases, & binary applications to function • Cmdlets: – Native command line tools with built in functions – Example: get-childitem, get-help • Aliases: – Shortcuts or pointers to cmdlets, applications, or scripts – Example: dir, ls • Applications: – Binaries files with defined functionality – Example: netsh An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 9. Sample PowerShell Cmdlets • Get-Command • Get-Help • Get-Member • Get-Content • Where-Object • Select-Object • Format-List • Fomat-Table • Get-ACL • Get-Process • Get-ChildItem • ConvertTo-CSV • ConvertTo-HTML • Import-certificate • Export-certificate • Stop-service • Start-service • Add-pssnapin An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 10. Sample PowerShell Modules • Active Directory • AD Certificate Services • Group Policy • Microsoft Exchange • Office 365 • Remote Desktop Services • SharePoint • SQL Server • System Center Configuration Manager • VMWare vSphere • Windows Azure • AD Replication • DnsShell • File System Security • FTP Client • Local User Management Module • PowerShell EventLogWatcher • Remote Registry • SCSM PowerShell Cmdlets • SQL Server PowerShell Extensions • Terminal Services • Windows Automation Snap-In • Windows Update An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 11. Functions & Scripts • If PowerShell does not include the functionality that you need, you can also extend it • Functions & Scripts: – Repeatable code within a PowerShell environment – Both follow the same philosophical idea of extending native functionality – Scripts utilize *.PS1 files to repeat functionality – Reminder: Set-ExecutionPolicy RemoteSigned An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 12. Accessing .NET Objects • PowerShell can also even utilize .NET libraries • Anything .NET can do, PowerShell can also • There is a fuzzy line between PowerShell & VB.NET • Both of the following commands are the same: – [datetime]::now – Get-Date An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 13. Case Study: Microsoft ADCS • Imagine you are responsible for assessing a Microsoft Active Directory Certificate Services (ADCS) server • What would you do to assess the system? • What steps could you follow to automate the process? • The following is a step by step approach you might consider taking to assess the system An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 14. Step #1: Governance & Architecture • To start any security assessment it is worth considering operational & governance controls • Sample questions to consider: – Have required functionality requirements been defined? – Do policies, procedures, & standards exist for the system? – Has an architecture been defined for the PKI hierarchy that matches the business needs? – Do proper operational controls exist to protect private keys (such as utilizing an HSM)? – Is redundancy built into the PKI architecture? An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 15. Step #2: Native Windows Cmdlets • The security of a service is dependent on the security of the underlying operating system • If the OS is not secure, services can never be secured • Therefore start an assessment with native Windows cmdlets & interrogate the host OS • For example: – Running services & software – Installed system patches – Local user accounts & groups – File system & registry permissions An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 16. Native Windows Cmdlet (Sample) An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Get-WMIObject Win32_userAccount | Select-Object Name,SID List all user accounts on the PKI Server:
  • 17. Native Windows Cmdlet (Sample) An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Get-acl c:windowssystem32certlog | fl Retrieve NTFS permissions from directory:
  • 18. Step #3: Registry Settings • Many service configuration settings are located in the Windows Registry • If you look in the registry you can quickly learn the configuration of the service without a GUI • PowerShell has the ability to query both entire registry hives and individual registry keys An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 19. ADCS Registry Settings An Introduction to PowerShell for Security Assessments © Enclave Security 2013 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvc HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftSystemCertificatesRootProtectedRoots
  • 20. Querying the Registry (Sample) An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Get-ChildItem "hklm:SYSTEMCurrentControlSetServicesCertSvcConfiguration"
  • 21. Querying the Registry (Sample) An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Get-ItemProperty "hklm:SYSTEMCurrentControlSetServicesCertSvcConfigurationGet-ChildItem" Get-ItemProperty "hklm:SYSTEMCurrentControlSetServicesCertSvcConfigurationGet-ChildItem“ | Select-Object DBLogDirectory
  • 22. Step #4: Service Specific Cmdlets • Microsoft has committed that each of their product teams will make their services 100% configurable via PowerShell cmdlets • The beta test for this program was Exchange 2007 • Most all services now have service specific cmdlets • These extend the standard functionality of PowerShell on that system • Sample cmdlets: – Import-Module ActiveDirectory – Get-Module -ListAvailable An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 23. Service Specific Cmdlets (Sample) An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Query information about CRL Distribution Points (CDPs) Get-CACrlDistributionPoint
  • 24. An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Query information about available Certificate Templates Get-CATemplate
  • 25. Step #5: Querying Config Files • During an assessment you may also need to query configuration files for specific services • Often times XML or CONFIG files are used to store configuration date instead of the registry • Third party application developers especially like to store configurations this way • To view the content of any file use: – Get-content An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 26. Querying Config Files (Sample) An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Microsoft IIS Web Server Configuration Files for the Certsrv Website
  • 27. Querying Config Files (Sample) An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Microsoft IIS Web Server Configuration Files for the Certsrv Website get-content C:WindowsSystem32inetsrvconfigapplicationhost.config
  • 28. Step #6: Native Windows Binaries • Microsoft also makes available application binaries for managing specific services • Prior to PowerShell, binaries were the only method for querying information about a system from the command line • If a service specific cmdlets does not meet your needs, possibly a binary will • For example: – DNSCMD.EXE – CERTUTIL.EXE An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 29. Native Windows Binaries (Sample) An Introduction to PowerShell for Security Assessments © Enclave Security 2013 Dump verbose properties from Certificate Templates Certutil –v -template
  • 30. Step #7: Reporting • Once you have gathered all your data, the next step is to report your findings • Microsoft aprovides a number of cmdlets that can be useful for reporting • Reporting cmdlets include: – ConvertTo-CSV – ConvertTo-HTML – ConvertTo-XML – Export-CSV An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 31. Next Steps • If you find yourself regularly assessing Microsoft Windows based systems – learn PowerShell 1. Learn the foundations of PowerShell scripting 2. Learn the basic built-in cmdlets Windows provides 3. Learn about additional modules that can be added to a standard Windows environment 4. Write scripts to automate common assessment tasks 5. Experiment with output & reporting in PowerShell 6. Share your scripts with the community An Introduction to PowerShell for Security Assessments © Enclave Security 2013
  • 32. Further Questions • James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit – Website: http://www.auditscripts.com • Resources for further study: – SANS SEC 505: Securing Windows & Resisting Malware – Windows PowerShell in Action by Bruce Payette – PowerShell and WMI by Richard Siddaway An Introduction to PowerShell for Security Assessments © Enclave Security 2013

Hinweis der Redaktion

  1. An Introduction to PowerShell for Security AssessmentsWith the increased need for automation in operating systems, every platform now provides a native environment for automating repetitive tasks via scripts. Since 2007, Microsoft has gone “all in” with their PowerShell scripting environment, providing access to every facet of the Microsoft Windows operating system and services via a scriptable interface. Not only can administrators completely administer and audit an operating system from this shell, but most all Microsoft services, such as Exchange, SQL Server, and SharePoint services as well. In this presentation James Tarala of Enclave Security will introduce students to using PowerShell scripts for assessing the security of thee Microsoft services. Auditors, system administrators, penetration testers, and others will all learn practical techniques for using PowerShell to assess and secure these vital Windows services.
  2. http://social.technet.microsoft.com/wiki/contents/articles/4308.popular-powershell-modules.aspxhttp://social.technet.microsoft.com/wiki/contents/articles/4309.powershell-enabled-technologies.aspx