SECURITY TASKS USING POWERSHELL
PowerShell is a advanced admin tool for Windows operating system. End users with advanced knowledge or those who have worked with an older version of windows may be much familiar with the command prompt via which you can run commands and scripts. PowerShell is similar but a lot more advanced regarding functionality.
This blog gives you some advanced functions for configuring management and automated tasks. Powershell includes both scripting language and command line shell. It is built on.Net Framework. Its also offers you Integrated Scripting Environment (ISE), which gives you a GUI where you can naturally do all your scripting.
we will see how effectively we can use PowerShell on security-related tasks,
CONTENTS
UNDERSTANDING EXECUTION POLICY
Execution policy enables a user to determine which PowerShell scripts will be allowed to run on your computer. There are four different execution policies are available in the PowerShell.
They are
- Restricted – no scripts can run. Interactive mode only can be used.
- AllSigned – the scripts which are signed by the trusted publisher can be able to run
- RemoteSigned – scripts which are downloaded must be approved by a trusted publisher before they run.
- Unrestricted – there will be no restriction on running any PowerShell scripts.
This command will show you current execution policy.
PS C:\Users\proxy_000> Get-ExecutionPolicy Restricted
End users should use the RemoteSigned. It will allow the user to run local scripts, but it won’t enable scripts from outside the network or downloaded scripts from the internet.
Professional scripters can use “Bypass” which allow you to run any script regardless of location.
Here is a command to change execution policy for your user account.
PS C:\Users\proxy_000> Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass -Force PS C:\Users\proxy_000> Get-ExecutionPolicy
Bypass
PS C:\Users\proxy_000>
OVERRIDING EXECUTION POLICY
Execution policy is not a security boundary to protect you from attackers. It just acts as a seat belt to protect you. There are many other ways to override the execution policy and execute the scripts or commands.
PS C:\Users\proxy_000> Get-Content ‘c:\evilscript.ps1’ -Raw | powershell.exe -nonprofile -
LISTING NTFS PERMISSIONS
To view NTFS permission for folders and files use Get-Act. At first, It won’t show you the actual permission. But we can make visible using this :
PS C:\Users\proxy_000> Get-Acl -path $env:windir | Select-Object -ExpandProperty Access
CLONE NTFS PERMISSIONS
NTFS access permission is complicated and tricky. To quickly assign NTFS permission to a new folder, you can merely clone permission from another folder that you know has the correct permission applied.
$OriginalPath = “$env:temp\sample” New-Item -Path $OriginalPath -ItemType Directory
to assign correct permission to folder “proxy” manually
Explorer.exe “/Select,$OriginalPath.”
Right-click the proxy folder and choose properties and then click the security tab. Now add security permission you need to apply
When your prototype folder is correctly configured. Use this code to read information about security
$sddl = (Get-Acl $OriginalPath).Sddl
From this point, you don’t need your prototype folder anymore. It was required to create SDDL definition string.
$newpath = “$env:temp\NewFolder” md $newpath $sd = Get-Acl -Path $newpath $sd.SetSecurityDescriptorSddlForm($sddl) Set-Acl -Path $newpath -Aclobject $sd
ADDING PERMISSIONS
Adding new permission to an existing security descriptor, first, create an appropriate AccessRule object and configure it.
This script adds a new FileSystemAccessRule to the security descriptor of a file, granting read and write access to proxydomain\proxyaccount.
Make sure you adjust both user account and filename before you test the code:
$colRights = [System.Security.AccessControl.FileSystemRights]’Read, Write’ $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None $objType =[System.Security.AccessControl.AccessControlType]::Allow $objUser = New-Object System.Security.Principal.NTAccount(‘proxydomain\proxyaccount.’) $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ` ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) # get original SD
$catACL = Get-Acl ‘C:\proxy\pr0xy.txt’ # add permission $catACL.AddAccessRule($objACE) # write back the appended SD Set-Acl ‘C:\proxy\pr0xy.txt’ $catACL
REMOVING PERMISSIONS
To remove a permission from a security descriptor, get access to the Acl entries, and pick the ones to delete and write back the changed security descriptor.
$catACL = Get-Acl c:\proxy\pr0xy.txt
$unwanted = $catACL.Access |
Where-Object { $_.IdentityReference.Value -eq ‘proxydomain\proxyaccount’ }
$unwanted | ForEach-Object { $null = $catACL.RemoveAccessRule($_) }
Set-Acl -Path c:\proxy\pr0xy.txt -AclObject $catACL
CHECKING ADMINISTRATOR PRIVILEGES
There are many ways to find out if a script runs been elevated. Here’s a straightforward approach that uses whoami.exe (works withWin7/Server 200 R2 or better):
(whoami.exe /all | Select-String S-1-16-12288) -ne $null
If you do not have whoami.exe, or if you are looking for a more integrated way, you can use a line that is a little longer but identifies Admin status directly, without calling an external program:
(New-Object System.Security.Principal.WindowsPrincipal([System.Security. Principal.WindowsIdentity]::GetCurrent())).IsInRole([System.Security.Principal. WindowsBuiltInRole]::Administrator)
CONCLUSION :
As we discussed in this blog, PowerShell is an advanced admin tool which is capable of performing above mentioned task. By executing these tasks, the admin could save much time. This allows to avoid attackers to get into our system .
Briskinfosec offers periodic system hardening solutions to bring down the risk level in the organization, our constructive and customized solution will help organization from serious threats against system hardening.
AUTHOR
Venkatesh C.S
Security Engineer
Briskinfosec Technology and Consulting PVT LTD
Find me @ https://www.linkedin.com/in/venkatesh-c-s-44174711b/
Related Blogs :
Posts
