A way underutilized tool for Windows is AppLocker, which allows us to whitelist executables and binaries to be run on machines controlled via Group Policy. Now, we need to control access to PowerShell. So, we’ve updated PowerShell on all of our computers and disabled older versions to mitigate potential downgrade attacks. You can use AppLocker (discussed below) to disallow the V2’s DLLs from being used, rendering attacks such as PowerShell Empire’s ps-inject module ineffective: However, as any good security program does, we have layers and can apply them in-depth. Unfortunately, Windows doesn’t give us the ability to (easily) disable the V2 engine on Windows 7. In Windows 8 and newer, run the following command on an endpoint (this could obviously be executed remotely or configured via Group Policy): Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root.These allow some exploit frameworks to use an older version of PowerShell without all the fancy security controls V5 affords us because Windows 8 and above have an optional feature that leaves the PowerShell V2 engine installed. So, you’ve upgraded all your endpoints to PowerShell V5-great! But there is still the potential for “downgrade” attacks. Information on upgrading each version of PowerShell can be found here. The team behind PowerShell at Microsoft has done a really good job in the latest stable PowerShell version ( Version 5.0, as of right now), adding several features to help us defend against malicious PowerShell attacks. Keeping things patched is something we so often overlook in security. Below is the entirety of that onion, with each layer explained: Update PowerShell to the latest stable version We can’t possibly implement one control and solely rely on that for protection. Well, first realize that security (like onions and ogres) is all about layers. NET libraries, and has built-in remoting-and most companies don’t monitor what code endpoints are running. So, think about this: We have a scripting language that is enabled on 80% of all enterprise machines by default that can execute code downloaded from the internet, leverage. Several offensive tools exist based in PowerShell, including the following: It can be run in-memory where A/V software can’t see it, but we can often use PowerShell to download code and run it on our target. PowerShell is a built-in command line tool that has been included and enabled on every Windows operating system since Windows 7/Windows Server 2008 R2. So, why should I care about PowerShell attacks? Our jobs as security professionals are ever-necessary in the current and future enterprise environment landscapes, and they’re not getting any easier. That makes it inherently difficult to defend. Windows is everywhere, dominating overall usage in both enterprise environments and among personal desktops/laptops. Risk-Based Security reported that from January 2018 to the end of June, there have been over 10,000 discovered vulnerabilities (the highest number at the same point of any year, ever), increasing the surface areas for both criminals and non-criminal Red Teamers alike. Image source: ImgFlip “It isn’t easy being blue.” – Kermit the Frog, probablyĪs any Blue Teamer will tell you, defending your network against both criminals and third-party assessments is no easy task. As always, be sure to include necessary stakeholders before making these changes to your environment, especially when it comes to the logging changes we suggest for PowerShell. This series discusses how we can implement some basic controls to keep our data safe from potential PowerShell attacks and how to detect malicious behavior trying to circumvent said controls. I’ve been helping companies better protect their networks for about seven years now and have seen a lot of things along the way, especially when it comes to defending networks against malicious PowerShell. Hello! My name is Josh Frantz, and I am a security consultant for Rapid7. This post is the first in a two-part series that covers defending your Windows environment against offensive PowerShell.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |