{"id":1121,"date":"2015-06-09T17:16:44","date_gmt":"2015-06-09T17:16:44","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/powershell\/2015\/06\/09\/powershell-the-blue-team\/"},"modified":"2019-02-28T15:40:09","modified_gmt":"2019-02-28T23:40:09","slug":"powershell-the-blue-team","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/powershell\/powershell-the-blue-team\/","title":{"rendered":"PowerShell \u2665 the Blue Team"},"content":{"rendered":"

(Warning: Long blog post ahead! If you\u2019d like to read (or share) this as a whitepaper, you can download it here: \u201cScripting Security and Protection Advances in Windows 10<\/a>\u201d). <\/i><\/p>\n

At Microsoft, we invest an enormous amount of time and energy managing world-class cloud services and incredibly large enterprise networks. Security is critical for all of these \u2013 so what might surprise you is that we also invest enormous amounts of time and energy trying to break into those services. This is called Red Teaming<\/a> \u2013 taking highly specialized groups of security experts and having them adopt the role of sophisticated adversaries.\nIn the last several releases of Windows, we\u2019ve been working hard to make the platform much more powerful for administrators, developers, and power users alike. The only problem is \u2013 the red teams are catching on.<\/p>\n

\n

A Note about Assume Breach\n\nIn this post, the assumption is that an attacker has already compromised (breached) a system through a malicious phishing email, security flaw in a custom website implementation, or similar attack.<\/span><\/p>\n

When these security flaws are in software, they are found and patched. But we always assume the attackers will find some way to get in \u2013 even if only through a user being tricked into installing a malicious application on their computer.\\<\/span><\/p>\n<\/div>\n

As with any occupation, job satisfaction for attackers (either funded by the company under attack or otherwise) plays an important role in influencing attacker behaviour. After all, who wants to extend their compromise of a system using error prone and hard-to-write C++ programs, when you can accomplish the same thing with an elegant and powerful scripting language like PowerShell?<\/p>\n

In this post, we\u2019ll discuss some important advances we\u2019ve made in scripting security and protection in the preview versions of PowerShell version 5, and Windows 10.<\/p>\n

PowerShell \u2665<\/span> the Blue Team<\/h2>\n

When you take an assume-breach mindset, you have to assume that an attacker is already on your system. But then you\u2019re left with questions: What did they do? What systems did they connect to? Was any dynamic code invoked, and what was it?\nPowerShell version 5 (included in Windows 10, and also available for earlier operating systems through the Windows Management Framework) has made significant strides in making sure that the Blue Team has the information it needs to answer these questions.<\/p>\n

KB 3000850 for PowerShell v4 on Windows 8.1 also includes many of these features, as called out below. <\/i><\/p>\n

PowerShell version 5 builds on the already strong infrastructure that PowerShell version 4 (and below) offers: transcription, module logging, and more. For more information about PowerShell Security Best Practices in these environments, see http:\/\/blogs.msdn.com\/b\/powershell\/archive\/2013\/12\/16\/powershell-security-best-practices.aspx<\/a>. In addition, FireEye has published an excellent document on Investigating PowerShell Attacks: http:\/\/www.fireeye.com\/resources\/pdfs\/fireeye-lazanciyan-investigating-powershell-attacks.pdf<\/a>. This document goes into great detail for both proactive and reactive techniques.<\/p>\n

Over-the-shoulder transcription<\/h2>\n

One of the quickest ways to get a summary of what\u2019s happening in a PowerShell session is to look over the shoulder of the person typing. You see their commands, the output of those commands, and all is well. Or it\u2019s not, but at least you\u2019ll know.\nPowerShell versions 4 and prior include support for over-the-shoulder transcription through the Start-Transcript<\/span> command. However, setting up ubiquitous transcription of PowerShell sessions is complex and error-prone. You need to include the command in the system startup profile of every system, and also need to add significant amounts of auditing to flag attackers that attempt to disable transcription.\nA secondary issue is that transcription was only supported in the interactive PowerShell console. Transcription of remoting sessions were not supported, nor was transcription in non-console hosts such as the PowerShell ISE.\nIn PowerShell version 5 and KB 3000850<\/i>, Start-Transcript<\/span> now emits structured objects when you start a transcript (the Path<\/span> property is useful), and has added much more useful information to its header:\n\"\"<\/a><\/p>\n

The filename now includes the computer that generated the transcript, a \u2018hash breaker\u2019 to prevent transcript collisions, and increased granularity in the transcript start time. While PowerShell v4 and below let you control the output path, you were then forced to properly randomize the transcript filename yourself. To improve this situation, we\u2019ve added the \u2013OutputDirectory<\/span> parameter to Start-Transcript.<\/p>\n

In the header content, the \u201cUsername\u201d and \u201cRunAs User\u201d will normally be the same. If you\u2019ve enabled impersonation on a constrained PowerShell remoting endpoint (i.e.: PowerShell Just Enough Administration), the \u201cUsername\u201d field represents the connected user while the \u201cRunAs User\u201d represents the account being impersonated.<\/p>\n

When it comes to transcript content, PowerShell now transcribes (what it can) of console commands that manipulate the console buffer directly, and can now be enabled in hosts such as the PowerShell ISE.\nIf you want to more directly associate commands with their output for potential later analysis, use the \u2013IncludeInvocationHeader<\/span> parameter. This adds an additional header for each command that is invoked:\n\"\"<\/a><\/p>\n

To enable automatic transcription, enable the \u2018Turn on PowerShell Transcription\u2019 feature in Group Policy through Windows Components -> Administrative Templates -> Windows PowerShell<\/span>. For automation, the configuration settings are stored under HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription<\/span>. The following PowerShell functions let you enable and disable the system-wide transcription policies.<\/p>\n

function<\/span>\u00a0<\/span>Enable-PSTranscription<\/span>\n{<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>[<\/span>CmdletBinding<\/span>(<\/span>)<\/span>]<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>param<\/span>(<\/span>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>$OutputDirectory<\/span>,<\/span>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>[Switch]<\/span>\u00a0<\/span>$IncludeInvocationHeader<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>)<\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0<\/span>## Ensure the base path exists<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>$basePath<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>“HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription”<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span>(<\/span>-not<\/span>\u00a0<\/span>(<\/span>Test-Path<\/span>\u00a0<\/span>$basePath<\/span>)<\/span>)<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>$null<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>New-Item<\/span>\u00a0<\/span>$basePath<\/span>\u00a0<\/span>-Force<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0<\/span>## Enable transcription<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>Set-ItemProperty<\/span>\u00a0<\/span>$basePath<\/span>\u00a0<\/span>-Name<\/span>\u00a0<\/span>EnableTranscripting<\/span>\u00a0<\/span>-Value<\/span>\u00a0<\/span>1<\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0<\/span>## Set the output directory<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span>(<\/span>$PSCmdlet<\/span>.<\/span>MyInvocation<\/span>.<\/span>BoundParameters<\/span>.<\/span>ContainsKey<\/span>(<\/span>“OutputDirectory”<\/span>)<\/span>)<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>Set-ItemProperty<\/span>\u00a0<\/span>$basePath<\/span>\u00a0<\/span>-Name<\/span>\u00a0<\/span>OutputDirectory<\/span>\u00a0<\/span>-Value<\/span>\u00a0<\/span>$OutputDirectory<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0<\/span>## Set the invocation header<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span>(<\/span>$IncludeInvocationHeader<\/span>)<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>Set-ItemProperty<\/span>\u00a0<\/span>$basePath<\/span>\u00a0<\/span>-Name<\/span>\u00a0<\/span>IncludeInvocationHeader<\/span>\u00a0<\/span>-Value<\/span>\u00a0<\/span>1<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span>\n}<\/span><\/p>\n

function<\/span>\u00a0<\/span>Disable-PSTranscription<\/span>\n{<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>Remove-Item<\/span>\u00a0<\/span>HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription<\/span>\u00a0<\/span>-Force<\/span>\u00a0<\/span>-Recurse<\/span>\n}<\/span><\/p>\n

When enabled system-wide, PowerShell transcription even includes emulated transcription for hosts that don\u2019t even have an interface \u2013 such as this example C# program:<\/p>\n

using<\/span> System;\n<\/span>using<\/span> System.Management.Automation;\n<\/span>\u00a0<\/span><\/p>\n

namespace<\/span> IgnorantTranscriber\n<\/span>{\n<\/span>\u00a0\u00a0\u00a0 <\/span>class<\/span> Program<\/span>\n<\/span>\u00a0\u00a0\u00a0 {\n<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>static<\/span> void<\/span> Main(<\/span>string<\/span>[] args)\n<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 { <\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>var<\/span> processes = <\/span>PowerShell<\/span>.Create().AddCommand(<\/span>“Get-Process”<\/span>).\n<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AddParameter(<\/span>“Name”<\/span>, <\/span>“*e*”<\/span>).Invoke();\n<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>Console<\/span>.WriteLine(<\/span>“You have “<\/span> + processes.Count +\n<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>” processes with ‘e’ in the name!”<\/span>);\n<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\n<\/span>\u00a0\u00a0\u00a0 }\n<\/span>}<\/span><\/p>\n

When you run it, the logged content emulates what you might have seen:<\/p>\n

PS>CommandInvocation(Get-Process): “Get-Process”\n<\/span>>> ParameterBinding(Get-Process): name=”Name”; value=”*e*”\n<\/span><\/p>\n

Handles\u00a0 NPM(K)\u00a0\u00a0\u00a0 PM(K)\u00a0\u00a0\u00a0\u00a0\u00a0 WS(K) VM(M)\u00a0\u00a0 CPU(s)\u00a0\u00a0\u00a0\u00a0 Id ProcessName\n<\/span>——-\u00a0 ——\u00a0\u00a0\u00a0 —–\u00a0\u00a0\u00a0 \u00a0 —– —–\u00a0\u00a0 ——\u00a0\u00a0\u00a0\u00a0 — ———–\n<\/span>\u00a0\u00a0\u00a0 135\u00a0\u00a0\u00a0\u00a0\u00a0 11\u00a0\u00a0\u00a0\u00a0 2496\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 7716\u00a0 4096\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2548 Acmengine\n<\/span>\u00a0\u00a0 2451\u00a0\u00a0\u00a0\u00a0 121\u00a0\u00a0\u00a0 63952\u00a0\u00a0\u00a0\u00a0 188004\u00a0 4096\u00a0\u00a0\u00a0 45.80\u00a0\u00a0 1516 explorer\n<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 4\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0 Idle\n<\/span>\u00a0\u00a0\u00a0 254\u00a0\u00a0\u00a0\u00a0\u00a0 22 \u00a0\u00a0 38132\u00a0\u00a0\u00a0\u00a0\u00a0 36248\u00a0\u00a0 229\u00a0\u00a0\u00a0\u00a0 0.64\u00a0\u00a0 2556 IgnorantTranscriber\n<\/span>\u00a0\u00a0\u00a0 452\u00a0\u00a0\u00a0\u00a0\u00a0 53\u00a0\u00a0\u00a0 93164\u00a0\u00a0\u00a0\u00a0\u00a0 64664\u00a0 4096\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1756 MsMpEng\n<\/span>\u00a0\u00a0\u00a0 147\u00a0\u00a0\u00a0\u00a0\u00a0 10\u00a0\u00a0\u00a0\u00a0 1872\u00a0\u00a0\u00a0\u00a0\u00a0 12524\u00a0 4096\u00a0\u00a0\u00a0\u00a0 0.08\u00a0\u00a0 3784 OpenWith\n<\/span>\u00a0\u00a0\u00a0 658\u00a0\u00a0\u00a0\u00a0\u00a0 33\u00a0\u00a0\u00a0 80680\u00a0\u00a0\u00a0\u00a0\u00a0 97852\u00a0 4096\u00a0\u00a0\u00a0\u00a0 3.61\u00a0\u00a0 1120 powershell\n<\/span>\u00a0\u00a0\u00a0 486\u00a0\u00a0\u00a0\u00a0\u00a0 30\u00a0\u00a0\u00a0 74876\u00a0\u00a0\u00a0\u00a0\u00a0 89780\u00a0 4096\u00a0\u00a0\u00a0\u00a0 2.64\u00a0\u00a0 2060 powershell\n<\/span>\u00a0\u00a0\u00a0 277\u00a0\u00a0\u00a0\u00a0\u00a0 10\u00a0\u00a0\u00a0\u00a0 3452\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 8696\u00a0 4096\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 536 services\n<\/span>\u00a0\u00a0\u00a0 148\u00a0\u00a0\u00a0\u00a0\u00a0 12\u00a0\u00a0\u00a0\u00a0 3256\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 9840\u00a0 4096\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2608 sysparse\n<\/span>\u00a0\u00a0\u00a0 885\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0 120\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 136\u00a0\u00a0\u00a0\u00a0 3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 4 System\n<\/span>\u00a0\u00a0\u00a0 239\u00a0\u00a0\u00a0\u00a0\u00a0 18\u00a0\u00a0\u00a0\u00a0 3268\u00a0\u00a0\u00a0\u00a0\u00a0 12060\u00a0 4096\u00a0\u00a0\u00a0\u00a0 0.33\u00a0\u00a0 2896 taskhostex<\/span><\/p>\n

The OutputDirectory<\/span> setting lets you collect transcripts to a central location (UNC path) for later review. If you implement this policy, ensure that access to the central share is limited to prevent users from reading previously-written transcripts. The following PowerShell script creates a \u201cTranscripts\u201d SMB share on a server that follows this best practice.<\/p>\n

md<\/span>\u00a0<\/span>c:\\Transcripts<\/span><\/p>\n

## Kill all inherited permissions<\/span>\n$acl<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>Get-Acl<\/span>\u00a0<\/span>c:\\Transcripts<\/span>\n$acl<\/span>.<\/span>SetAccessRuleProtection<\/span>(<\/span>$true<\/span>,<\/span>\u00a0<\/span>$false<\/span>)<\/span><\/p>\n

## Grant Administrators full control<\/span>\n$administrators<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>[System.Security.Principal.NTAccount]<\/span>\u00a0<\/span>“Administrators”<\/span>\n$permission<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>$administrators<\/span>,<\/span>“FullControl”<\/span>,<\/span>“ObjectInherit,ContainerInherit”<\/span>,<\/span>“None”<\/span>,<\/span>“Allow”<\/span>\n$accessRule<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>New-Object<\/span>\u00a0<\/span>System.Security.AccessControl.FileSystemAccessRule<\/span>\u00a0<\/span>$permission<\/span>\n$acl<\/span>.<\/span>AddAccessRule<\/span>(<\/span>$accessRule<\/span>)<\/span><\/p>\n

## Grant everyone else Write and ReadAttributes. This prevents users from listing<\/span>\n## transcripts from other machines on the domain.<\/span>\n$everyone<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>[System.Security.Principal.NTAccount]<\/span>\u00a0<\/span>“Everyone”<\/span>\n$permission<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>$everyone<\/span>,<\/span>“Write,ReadAttributes”<\/span>,<\/span>“ObjectInherit,ContainerInherit”<\/span>,<\/span>“None”<\/span>,<\/span>“Allow”<\/span>\n$accessRule<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>New-Object<\/span>\u00a0<\/span>System.Security.AccessControl.FileSystemAccessRule<\/span>\u00a0<\/span>$permission<\/span>\n$acl<\/span>.<\/span>AddAccessRule<\/span>(<\/span>$accessRule<\/span>)<\/span><\/p>\n

## Deny “Creator Owner” everything. This prevents users from<\/span>\n## viewing the content of previously written files.<\/span>\n$creatorOwner<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>[System.Security.Principal.NTAccount]<\/span>\u00a0<\/span>“Creator Owner”<\/span>\n$permission<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>$creatorOwner<\/span>,<\/span>“FullControl”<\/span>,<\/span>“ObjectInherit,ContainerInherit”<\/span>,<\/span>“InheritOnly”<\/span>,<\/span>“Deny”<\/span>\n$accessRule<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>New-Object<\/span>\u00a0<\/span>System.Security.AccessControl.FileSystemAccessRule<\/span>\u00a0<\/span>$permission<\/span>\n$acl<\/span>.<\/span>AddAccessRule<\/span>(<\/span>$accessRule<\/span>)<\/span><\/p>\n

## Set the ACL<\/span>\n$acl<\/span>\u00a0<\/span>|<\/span>\u00a0<\/span>Set-Acl<\/span>\u00a0<\/span>c:\\Transcripts\\<\/span><\/p>\n

## Create the SMB Share, granting Everyone the right to read and write files. Specific<\/span>\n## actions will actually be enforced by the ACL on the file folder.<\/span>\nNew-SmbShare<\/span>\u00a0<\/span>-Name<\/span>\u00a0<\/span>Transcripts<\/span>\u00a0<\/span>-Path<\/span>\u00a0<\/span>c:\\Transcripts<\/span>\u00a0<\/span>-ChangeAccess<\/span>\u00a0<\/span>Everyone<\/span><\/p>\n

 <\/p>\n

Deep script block logging<\/h2>\n

 <\/p>\n

A PowerShell \u201cscript block\u201d is the base level of executable code in PowerShell. It might represent a command typed interactively in the PowerShell console, supplied through the command line (\u201cPowerShell \u2013Command <\u2026><\/span>\u201d), or wrapped in a function, script, workflow, or the like.<\/p>\n

In addition to over-the-shoulder style transcription, PowerShell v5 and KB 3000850<\/i> introduces deep script block logging. When you enable script block logging, PowerShell records the content of all script blocks that it processes. If a script block uses dynamic code generation (i.e.: $command<\/span> =<\/span> “‘Hello World'”<\/span>; Invoke-Expression<\/span> $command<\/span><\/span>), PowerShell will log the invocation of this generated script block as well. This provides complete insight into the script-based activity on a system \u2013 including scripts or applications that leverage dynamic code generation in an attempt to evade detection.<\/p>\n

As with transcription support, this deep script block logging applies to any application that hosts the PowerShell engine \u2013 the command line shell, ISE, or custom host.<\/p>\n

To enable automatic transcription, enable the \u2018Turn on PowerShell Script Block Logging\u2019 feature in Group Policy through Windows Components -> Administrative Templates -> Windows PowerShell<\/span>. For automation, the configuration settings are stored under HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging<\/span>. By default, PowerShell only logs scripts blocks the first time they are used. If you select \u2018Log script block invocation start \/ stop events<\/span>\u2019, PowerShell also logs start and stop events for every time a script block is invoked. This latter setting can generate an extremely high volume of events, so should be enabled with caution.<\/p>\n

The following PowerShell functions let you enable and disable the system-wide script block logging policies.<\/p>\n

function<\/span>\u00a0<\/span>Enable-PSScriptBlockLogging<\/span>\n{<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>$basePath<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>“HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging”<\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span>(<\/span>-not<\/span>\u00a0<\/span>(<\/span>Test-Path<\/span>\u00a0<\/span>$basePath<\/span>)<\/span>)<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>$null<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>New-Item<\/span>\u00a0<\/span>$basePath<\/span>\u00a0<\/span>-Force<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>Set-ItemProperty<\/span>\u00a0<\/span>$basePath<\/span>\u00a0<\/span>-Name<\/span>\u00a0<\/span>EnableScriptBlockLogging<\/span>\u00a0<\/span>-Value<\/span>\u00a0<\/span>“1”<\/span>\n}<\/span><\/p>\n

function<\/span>\u00a0<\/span>Disable-PSScriptBlockLogging<\/span>\n{<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>Remove-Item<\/span>\u00a0<\/span>HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging<\/span>\u00a0<\/span>-Force<\/span>\u00a0<\/span>-Recurse<\/span>\n}<\/span><\/p>\n

function<\/span>\u00a0<\/span>Enable-PSScriptBlockInvocationLogging<\/span>\n{<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>$basePath<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>“HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging”<\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span>(<\/span>-not<\/span>\u00a0<\/span>(<\/span>Test-Path<\/span>\u00a0<\/span>$basePath<\/span>)<\/span>)<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>$null<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>New-Item<\/span>\u00a0<\/span>$basePath<\/span>\u00a0<\/span>-Force<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0<\/span>Set-ItemProperty<\/span>\u00a0<\/span>$basePath<\/span>\u00a0<\/span>-Name<\/span>\u00a0<\/span>EnableScriptBlockInvocationLogging<\/span>\u00a0<\/span>-Value<\/span>\u00a0<\/span>“1”<\/span>\n}<\/span><\/p>\n

Most companies only realize the need to enable script block logging after it is too late. To provide some recourse in this situation, PowerShell automatically logs script blocks when they have content often used by malicious scripts. This automatic script block logging is not intended to replace antivirus or full script block logging \u2013 it only serves as a record of last resort.<\/p>\n

To disable automatic script block logging, set the \u201cTurn on Script Block Logging<\/span>\u201d feature to \u201cDisabled<\/span>\u201d. Alternatively, specify \u201c0<\/span>\u201d for the EnableScriptBlockLogging<\/span> registry key.\nWhen script block logging is enabled, PowerShell will log the following events to the Microsoft-Windows-PowerShell\/Operational<\/span> log:<\/p>\n\n\n\n\n\n\n\n\n\n
\n

EventId<\/p>\n<\/td>\n

\n

4104 \/ 0x1008<\/p>\n<\/td>\n<\/tr>\n

\n

Channel<\/p>\n<\/td>\n

\n

\u00a0Operational<\/p>\n<\/td>\n<\/tr>\n

\n

Level<\/p>\n<\/td>\n

\n

\u00a0Verbose<\/p>\n<\/td>\n<\/tr>\n

\n

Opcode<\/p>\n<\/td>\n

\n

\u00a0Create<\/p>\n<\/td>\n<\/tr>\n

\n

Task<\/p>\n<\/td>\n

\n

\u00a0CommandStart<\/p>\n<\/td>\n<\/tr>\n

\n

Keyword<\/p>\n<\/td>\n

\n

\u00a0Runspace<\/p>\n<\/td>\n<\/tr>\n

\n

Message<\/p>\n<\/td>\n

\n

\u00a0Creating Scriptblock text (%1 of %2):<\/p>\n

\u00a0%3<\/p>\n

\u00a0ScriptBlock ID: %4<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The text embedded in the message is the text of the script block compiled. The ScriptBlock ID is a GUID retained for the life of the script block.<\/p>\n

Note<\/b>: Some script block texts (i.e.: Get-ChildItem<\/span>) might not truly<\/i> be representative of its underlying functionality if that command was generated through PowerShell\u2019s dynamic keyword mechanism or an overridden function. For both of these situations, the original dynamic keyword definition (or malicious function definition) will be logged.<\/p>\n

When script block invocation logging is enabled, PowerShell also writes begin and end event markers:<\/p>\n\n\n\n\n\n\n\n\n\n
\n

EventId<\/p>\n<\/td>\n

\n

Start: 4105 \/ 0x1009\n(Complete: 4106 \/ 0x100A)<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Channel<\/p>\n<\/td>\n

\n

\u00a0Operational<\/p>\n<\/td>\n<\/tr>\n

\n

Level<\/p>\n<\/td>\n

\n

\u00a0Verbose<\/p>\n<\/td>\n<\/tr>\n

\n

Opcode<\/p>\n<\/td>\n

\n

\u00a0Open (\/ Close)<\/p>\n<\/td>\n<\/tr>\n

\n

Task<\/p>\n<\/td>\n

\n

\u00a0CommandStart (\/ CommandStop)<\/p>\n<\/td>\n<\/tr>\n

\n

Keyword<\/p>\n<\/td>\n

\n

\u00a0Runspace<\/p>\n<\/td>\n<\/tr>\n

\n

Message<\/p>\n<\/td>\n

\n

\u00a0Started (\/ Completed) invocation of ScriptBlock ID: %1<\/p>\n

Runspace ID: %2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The ID is the GUID representing the script block (that can be correlated with event ID 4104), and the Runspace ID represents the runspace this script block was run in.<\/p>\n

Given that it represents the content of all PowerShell script invoked on a system, these events may contain sensitive data. To limit the information disclosure risk when script block logging is enabled, see Protected Event Logging<\/span>.\nPercent signs in the invocation message represent structured ETW properties. While they are replaced with the actual values in the message text, a more robust way to access them is to retrieve the message with the Get-WinEvent<\/span> cmdlet, and then use the Properties<\/b> array of the message.\nHere’s an example of how this functionality can help unwrap a malicious attempt to encrypt and obfuscate a script:<\/p>\n

## Malware<\/span>\nfunction<\/span>\u00a0<\/span>SuperDecrypt<\/span>\n{<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>param<\/span>(<\/span>$script<\/span>)<\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0<\/span>$bytes<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>[Convert]<\/span>::<\/span>FromBase64String<\/span>(<\/span>$script<\/span>)<\/span>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>## XOR \u201cencryption\u201d<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>$xorKey<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>0x42<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>for<\/span>(<\/span>$counter<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>0<\/span>;<\/span>\u00a0<\/span>$counter<\/span>\u00a0<\/span>-lt<\/span>\u00a0<\/span>$bytes<\/span>.<\/span>Length<\/span>;<\/span>\u00a0<\/span>$counter<\/span>++<\/span>)<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>$bytes<\/span>[<\/span>$counter<\/span>]<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>$bytes<\/span>[<\/span>$counter<\/span>]<\/span>\u00a0<\/span>-bxor<\/span>\u00a0<\/span>$xorKey<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0<\/span>[System.Text.Encoding]<\/span>::<\/span>Unicode<\/span>.<\/span>GetString<\/span>(<\/span>$bytes<\/span>)<\/span>\n}<\/span><\/p>\n

$decrypted<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>SuperDecrypt<\/span>\u00a0<\/span>“FUIwQitCNkInQm9CCkItQjFCNkJiQmVCEkI1QixCJkJlQg==”<\/span>\nInvoke-Expression<\/span>\u00a0<\/span>$decrypted<\/span><\/p>\n

Running this generates the following log entries:<\/p>\n

\n

\n<\/div>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Compiling Scriptblock text (1 of 1):<\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 function SuperDecrypt\n{\nparam($script)<\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $bytes = [Convert]::FromBase64String($script)\n<\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0## XOR “encryption”\n$xorKey = 0x42\nfor($counter = 0; $counter -lt $bytes.Length; $counter++)\n{\n$bytes[$counter] = $bytes[$counter] -bxor $xorKey\n}<\/p>\n

[System.Text.Encoding]::Unicode.GetString($bytes)\n}<\/p>\n

\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ScriptBlock ID: ad8ae740-1f33-42aa-8dfc-1314411877e3<\/p>\n<\/div>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Compiling Scriptblock text (1 of 1):<\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $decrypted = SuperDecrypt “FUIwQitCNkInQm9CCkItQjFCNkJiQmVCEkI1QixCJkJlQg==”<\/p>\n

ScriptBlock ID: ba11c155-d34c-4004-88e3-6502ecb50f52<\/p>\n

<\/div>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Compiling Scriptblock text (1 of 1):<\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Invoke-Expression $decrypted<\/p>\n

\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ScriptBlock ID: 856c01ca-85d7-4989-b47f-e6a09ee4eeb3<\/p>\n<\/div>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Compiling Scriptblock text (1 of 1):<\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host ‘Pwnd’<\/p>\n

\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ScriptBlock ID: 5e618414-4e77-48e3-8f65-9a863f54b4c8 <\/span><\/p>\n<\/div>\n

\n

If the script block length exceeds what ETW is capable of holding in a single event, Windows PowerShell breaks the script into multiple parts. Here is sample code to recombine a script from its log messages:<\/p>\n

$created<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>Get-WinEvent<\/span>\u00a0<\/span>-FilterHashtable<\/span>\u00a0<\/span>@{<\/span>\n\u00a0\u00a0\u00a0\u00a0<\/span>ProviderName<\/span>=<\/span>“Microsoft-Windows-PowerShell”<\/span>;<\/span>\u00a0<\/span>Id<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>4104<\/span>\u00a0<\/span>}<\/span>\u00a0<\/span>|<\/span>\u00a0<\/span>Where-Object<\/span>\u00a0<\/span>{<\/span>\u00a0<\/span><<\/span>Criteria><\/span>\u00a0<\/span>}<\/span><\/p>\n

$sortedScripts<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>$created<\/span>\u00a0<\/span>|<\/span>\u00a0<\/span>sort<\/span>\u00a0<\/span>{<\/span>\u00a0<\/span>$_<\/span>.<\/span>Properties<\/span>[<\/span>0<\/span>]<\/span>.<\/span>Value<\/span>\u00a0<\/span>}<\/span>\n$mergedScript<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>-join<\/span>\u00a0<\/span>(<\/span>$sortedScripts<\/span>\u00a0<\/span>|<\/span>\u00a0<\/span>%<\/span>\u00a0<\/span>{<\/span>\u00a0<\/span>$_<\/span>.<\/span>Properties<\/span>[<\/span>2<\/span>]<\/span>.<\/span>Value<\/span>\u00a0<\/span>}<\/span>)<\/span><\/p>\n

As with all logging systems that have a limited retention buffer (i.e.: ETW logs), one attack against this infrastructure is to flood the log with spurious events to hide earlier evidence. To protect yourself from this attack, ensure that you have some form of event log collection set up (i.e.: Windows Event Forwarding, http:\/\/www.nsa.gov\/ia\/_files\/app\/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf<\/a>) to move event logs off of the computer as soon as possible.<\/p>\n

 <\/p>\n

Antimalware Scan Interface Integration<\/h2>\n

In Windows 10, the Antimalware, Security and Identity, PowerShell, VBScript, and JScript teams have collaborated to allow applications to become active participants in malware defense. To do this, we’re introducing a brand new way to help protect customers from dynamic script-based malware and non-traditional avenues of attack. <\/span><\/a>\nWe’re calling this AMSI — the Antimalware Scan Interface<\/a>. PowerShell now submits all script content (interactive and otherwise) to the registered antimalware engine \u2013 including additional calls for scripts the employ obfuscation or layer dynamic code evaluation. For more information about how PowerShell interacts with the Antimalware Scan Interface, see: http:\/\/blogs.technet.com\/b\/mmpc\/archive\/2015\/06\/09\/windows-10-to-offer-application-developers-new-malware-defenses.aspx<\/a>.<\/p>\n

Cryptographic Message Syntax (CMS) encryption and decryption cmdlets<\/h2>\n

PowerShell version 5 and KB 3000850<\/i> introduces support for protection of content using the Cryptographic Message Syntax<\/i> (CMS) format. These cmdlets support encryption and decryption of content using the IETF standard format for cryptographically protecting messages as documented by RFC5652<\/a>.<\/p>\n

Get-CmsMessage [-Content] <string> <\/span><\/p>\n

Get-CmsMessage [-Path] <string> <\/span><\/p>\n

Get-CmsMessage [-LiteralPath] <string> <\/span><\/p>\n

Protect-CmsMessage [-To] <CmsMessageRecipient[]> [-Content] <string> [[-OutFile] <string>] <\/span><\/p>\n

Protect-CmsMessage [-To] <CmsMessageRecipient[]> [-Path] <string> [[-OutFile] <string>] <\/span><\/p>\n

Protect-CmsMessage [-To] <CmsMessageRecipient[]> [-LiteralPath] <string> [[-OutFile] <string>] <\/span><\/p>\n

Unprotect-CmsMessage [-EventLogRecord] <EventLogRecord> [[-To] <CmsMessageRecipient[]>] [-IncludeContext] <\/span><\/p>\n

Unprotect-CmsMessage [-Content] <string> [[-To] <CmsMessageRecipient[]>] [-IncludeContext] <\/span><\/p>\n

Unprotect-CmsMessage [-Path] <string> [[-To] <CmsMessageRecipient[]>] [-IncludeContext] <\/span><\/p>\n

Unprotect-CmsMessage [-LiteralPath] <string> [[-To] <CmsMessageRecipient[]>] [-IncludeContext] <\/span><\/p>\n

The CMS encryption standard implements public key cryptography, where the keys used to encrypt content (the public key<\/i>) and the keys used to decrypt content (the private key<\/i>) are different.\nYour public key can be shared widely, and is not sensitive data. If any content is encrypted with this public key, only your private key can decrypt it. For more information about Public Key Cryptography, see: http:\/\/en.wikipedia.org\/wiki\/Public-key_cryptography<\/span><\/a>.\nTo be recognized in Windows PowerShell, encryption certificates require a unique key usage identifier (EKU) to identify them as data encryption certificates (like the identifiers for ‘Code Signing’, ‘Encrypted Mail’).\nHere is an example of creating a certificate that is good for Document Encryption:\n(Change the text in Subject<\/b> to your name, email, or other identifier), and put in a file (i.e.: DocumentEncryption.inf):<\/p>\n

[Version]\r\nSignature = \"$Windows NT$\"\r\n[Strings]\r\nszOID_ENHANCED_KEY_USAGE = \"2.5.29.37\"\r\nszOID_DOCUMENT_ENCRYPTION = \"1.3.6.1.4.1.311.80.1\"\r\n[NewRequest]\r\nSubject = \"cn=me@somewhere.com<\/span><\/a>\"\r\nMachineKeySet = false\r\nKeyLength = 2048\r\nKeySpec = AT_KEYEXCHANGE\r\nHashAlgorithm = Sha1\r\nExportable = true\r\nRequestType = Cert\r\nKeyUsage = \"CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERT_DATA_ENCIPHERMENT_KEY_USAGE\"\r\nValidityPeriod = \"Years\"\r\nValidityPeriodUnits = \"1000\"\r\n\u00a0\r\n[Extensions]\r\n%szOID_ENHANCED_KEY_USAGE% = \"{text}%szOID_DOCUMENT_ENCRYPTION%\"<\/pre>\n
 <\/p>\n
Then run:<\/p>\n
certreq -new DocumentEncryption.inf DocumentEncryption.cer<\/pre>\n
And you can now encrypt and decrypt content:<\/p>\n
106 [C:\\temp]\n>> <\/span>$protected<\/span> =<\/span> “Hello World”<\/span> | <\/span>Protect-CmsMessage<\/span> -To<\/span> *me@somewhere.com*<\/a>\n<\/span>\n107 [C:\\temp]\n>> <\/span>$protected<\/span>\n—–BEGIN CMS—–\nMIIBqAYJKoZIhvcNAQcDoIIBmTCCAZUCAQAxggFQMIIBTAIBADA0MCAxHjAcBgNVBAMMFWxlZWhv\nbG1AbWljcm9zb2Z0LmNvbQIQQYHsbcXnjIJCtH+OhGmc1DANBgkqhkiG9w0BAQcwAASCAQAnkFHM\nproJnFy4geFGfyNmxH3yeoPvwEYzdnsoVqqDPAd8D3wao77z7OhJEXwz9GeFLnxD6djKV\/tF4PxR\nE27aduKSLbnxfpf\/sepZ4fUkuGibnwWFrxGE3B1G26MCenHWjYQiqv+Nq32Gc97qEAERrhLv6S4R\nG+2dJEnesW8A+z9QPo+DwYU5FzD0Td0ExrkswVckpLNR6j17Yaags3ltNVmbdEXekhi6Psf2MLMP\nTSO79lv2L0KeXFGuPOrdzPAwCkV0vNEqTEBeDnZGrjv\/5766bM3GW34FXApod9u+VSFpBnqVOCBA\nDVDraA6k+xwBt66cV84OHLkh0kT02SIHMDwGCSqGSIb3DQEHATAdBglghkgBZQMEASoEEJbJaiRl\nKMnBoD1dkb\/FzSWAEBaL8xkFwCu0e1ZtDj7nSJc=\n—–END CMS—–\n<\/span>108 [C:\\temp]\n>> <\/span>$protected<\/span> | <\/span>Unprotect-CmsMessage<\/span>\n<\/span>Hello World <\/span><\/p>\n
Any parameter of type CMSMessageRecipient supports identifiers in the following formats:<\/p>\n
\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span>An actual certificate (as retrieved from the certificate provider)<\/p>\n
\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span>Path to the a file containing the certificate<\/p>\n
\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span>Path to a directory containing the certificate<\/p>\n
\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span>Thumbprint of the certificate (used to look in the certificate store)<\/p>\n
\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><\/span>Subject name of the certificate (used to look in the certificate store)<\/p>\n
To view document encryption certificates in the certificate provider, you can use the –DocumentEncryptionCert<\/b> dynamic parameter for Get-ChildItem<\/span> (dir<\/span>):<\/p>\n
58 [Cert:\\currentuser\\my]\r\n >> dir -DocumentEncryptionCert<\/pre>\n
Interoperability of CMS Content<\/h3>\n
Because the CMS format is an IETF standard, PowerShell supports the decryption of content generated by other conforming tools, and the content it generates can be decrypted by other conforming tools.\nOne of the more popular implementations to support the CMS message format is the OpenSSL<\/a> library and command-line toolchain. The primary challenge when exchanging data with the OpenSSL library comes from the OpenSSL assumption that the content is contained within an email message body in the P7M format. Fortunately, these text-based headers are relatively easy to add and remove.\nThe following PowerShell commands demonstrate using OpenSSL and PowerShell to encrypt and decrypt content generated by the other application.<\/p>\n
## Install the OpenSSL package<\/span>\nInstall-Package<\/span>\u00a0<\/span>OpenSSL.Light<\/span><\/p>\n
## OpenSSL requires certificates in the PEM format. To create this,<\/span>\n## export the Windows certificate in PFX format, and ensure that<\/span>\n## the PFX is protected by a password (rather than account) as<\/span>\n## OpenSSL doesn’t support group-protected PFX files<\/span>\n&<\/span>\u00a0<\/span>“C:\\Program Files\\OpenSSL\\bin\\openssl.exe”<\/span>\u00a0<\/span>pkcs12<\/span>\u00a0<\/span>-in<\/span>\u00a0<\/span>C:\\temp\\cert.pfx<\/span>\u00a0<\/span>-out<\/span>\u00a0<\/span>c:\\temp\\cert.pem<\/span>\u00a0<\/span>-nodes<\/span><\/p>\n
## 1) Encrypt with PowerShell, decrypt with OpenSSL.<\/span><\/p>\n
## First, protect some content in PowerShell.<\/span>\nGet-Process<\/span>\u00a0<\/span>|<\/span>\u00a0<\/span>Protect-CmsMessage<\/span>\u00a0<\/span>-To<\/span>\u00a0<\/span>“*myRecipient*”<\/span>\u00a0<\/span>|<\/span>\u00a0<\/span>Set-Content<\/span>\u00a0<\/span>encrypted.txt<\/span><\/p>\n
<#\nPowerShell uses BEGIN CMS \/ END CMS sigils to signify encrypted content.\nOpenSSL requires an email-header:<\/span><\/p>\n
MIME-Version: 1.0\nContent-Disposition: attachment; filename=”smime.p7m”\nContent-Type: application\/pkcs7-mime; smime-type=enveloped-data; name=”smime.p7m”\nContent-Transfer-Encoding: base64\nSo, tweak the data.\n#><\/p>\n
$p7mHeader<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>@’\nMIME-Version: 1.0\nContent-Disposition: attachment; filename=”smime.p7m”\nContent-Type: application\/pkcs7-mime; smime-type=enveloped-data; name=”smime.p7m”\nContent-Transfer-Encoding: base64\n‘@<\/span>\n$unixContent<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>Get-Content<\/span>\u00a0<\/span>encrypted.txt<\/span>\u00a0<\/span>|<\/span>\u00a0<\/span>Select-String<\/span>\u00a0<\/span>-notmatch<\/span>\u00a0<\/span>“—-“<\/span>\n$p7mHeader<\/span>,<\/span>“`r`n”<\/span>,<\/span>$unixContent<\/span>\u00a0<\/span>|<\/span>\u00a0<\/span>Set-Content<\/span>\u00a0<\/span>encrypted_unix.txt<\/span>\u00a0<\/span>-Encoding<\/span>\u00a0<\/span>ASCII<\/span><\/p>\n
## Finally, decrypt with OpenSSL. Ensure that the content is encoded as ASCII.<\/span>\n&<\/span>\u00a0<\/span>“C:\\Program Files\\OpenSSL\\bin\\openssl.exe”<\/span>\u00a0<\/span>cms<\/span>\u00a0<\/span>-decrypt<\/span>\u00a0<\/span>-in<\/span>\u00a0<\/span>encrypted_unix.txt<\/span>\u00a0<\/span>-recip<\/span>\u00a0<\/span>.\\cert.pem<\/span><\/p>\n
## 2) Encrypt with OpenSSL, decrypt with PowerShell<\/span><\/p>\n
## First, protect some content with OpenSSL<\/span>\n$encrypted<\/span>\u00a0<\/span>=<\/span>\u00a0<\/span>Get-Process<\/span>\u00a0<\/span>|<\/span>\u00a0<\/span>&<\/span>\u00a0<\/span>“C:\\Program Files\\OpenSSL\\bin\\openssl.exe”<\/span>\u00a0<\/span>cms<\/span>\u00a0<\/span>-encrypt<\/span>\u00a0<\/span>-recip<\/span>\u00a0<\/span>.\\cert.pem<\/span><\/p>\n
## Change the OpenSSL mail header to the standard CMS header<\/span>\n“—–BEGIN CMS—–“<\/span>,<\/span>$(<\/span>$encrypted<\/span>\u00a0<\/span>-notmatch<\/span>\u00a0<\/span>“:”<\/span>)<\/span>,<\/span>“—–END CMS—–“<\/span>\u00a0<\/span>><\/span>\u00a0<\/span>encrypted.cms<\/span><\/p>\n
## Finally, decrypt with PowerShell<\/span>\nUnprotect-CmsMessage<\/span>\u00a0<\/span>-Path<\/span>\u00a0<\/span>.\\encrypted.cms<\/span><\/p>\n
Secure code generation APIs<\/h2>\n
Whenever you write code that may be subjected to attacker-controlled input, code injection vulnerabilities are among the most dangerous type of bug. A good example of code that may be subjected to attacker-controlled input are functions that you expose in a constrained PowerShell runspace. If an attacker can exploit a code injection vulnerability in one of those functions, they can execute code as though it were part of the function itself. That code would not be subject to the restrictions that you\u2019ve applied to the constrained runspace.\nAlmost every language can be subject to code injection vulnerabilities if used incorrectly. In SQL, this is called \u201cSQL Injection\u201d. In web sites, this is called \u201cCross site scripting\u201d. In CGI applications, shell scripts, or tools that invoke system commands – this is called \u201cCommand injection\u201d.\nIn PowerShell, the most common source of code injection vulnerabilities comes from including attacker-controlled input in a string that you submit to the Invoke-Expression<\/span> command. For example:<\/p>\n
function<\/span> Get-MyAcl<\/span>\n<\/span>{ <\/span><\/p>\n
\u00a0 \u00a0\u00a0param<\/span>($Path<\/span>)\n<\/span>\u00a0<\/span><\/p>\n
\u00a0 \u00a0\u00a0Invoke-Expression<\/span> “Get-Acl <\/span>$Path<\/span>“<\/span>\n<\/span>} <\/span><\/p>\n
If $Path<\/span> contains input such as \u201c;<\/span><\/span> Write-Host Pwnd<\/span><\/span>\u201d, the attacker can now execute the Write-Host<\/span> cmdlet (or much worse!) as well.\nThe Invoke-Expression cmdlet should almost always be avoided, as PowerShell (like other languages) has many features that take its place more securely.<\/p>\n
## Invoke a static command<\/span><\/p>\n
Get-Acl<\/span> -Path<\/span> c:\\temp\\file.txt\n<\/span> <\/span><\/p>\n
## Supply a dynamic parameter value<\/span><\/p>\n
## with a variable reference<\/span><\/p>\n
$paramValue<\/span> =<\/span> “c:\\temp\\file.txt”<\/span> <\/span><\/p>\n
Get-Acl<\/span> -Path<\/span> $paramValue<\/span> <\/span><\/p>\n
\n
## Supply both a dynamic parameter name and<\/span><\/p>\n
## value through ‘splatting’<\/span><\/p>\n
$parameters<\/span> =<\/span> @{ Path =<\/span> “c:\\temp\\file.txt”<\/span> } <\/span><\/p>\n
Get-Acl<\/span> @parameters<\/span> <\/span><\/p>\n
\n
## Supply a dynamic command name, parameter name,<\/span><\/p>\n
## and parameter value through the invocation<\/span><\/p>\n
## operator and splatting<\/span><\/p>\n
$commandName<\/span> =<\/span> “Get-Acl”<\/span> <\/span><\/p>\n
$parameters<\/span> =<\/span> @{ Path =<\/span> “c:\\temp\\file.txt”<\/span> } <\/span><\/p>\n
&<\/span> $commandName<\/span> @parameters <\/span><\/span><\/p>\n
If you are ever truly required to generate PowerShell scripts after making all attempts to avoid it, PowerShell version 5 and KB 3000850<\/i> introduces APIs to support secure generation of scripts that may contain attacker input.<\/p>\n
13 [C:\\temp]\n>> [<\/span>System.Management.Automation.Language.CodeGeneration<\/span>] | <\/span>gm<\/span> \u2013static\n<\/span>\u00a0\u00a0 TypeName: System.Management.Automation.Language.CodeGeneration\nName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0MemberType Definition\n—-\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0———- ———-\nEquals\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Method\u00a0\u00a0\u00a0\u00a0\u00a0static bool Equals(System.Object objA, System.Object objB)\nEscapeBlockCommentContent\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Method\u00a0\u00a0\u00a0\u00a0\u00a0static string EscapeBlockCommentContent(string value)\nEscapeFormatStringContent\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Method\u00a0\u00a0\u00a0\u00a0\u00a0static string EscapeFormatStringContent(string value)\nEscapeSingleQuotedStringContent Method\u00a0\u00a0\u00a0\u00a0\u00a0static string EscapeSingleQuotedStringContent(string value)\nEscapeVariableName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Method\u00a0\u00a0\u00a0\u00a0\u00a0static string EscapeVariableName(string value)<\/span><\/p>\n
If you are placing attacker-controlled input within a string (i.e.: for a command argument), ensure that you place it within a single-quoted string. Then, use EscapeSingleQuotedStringContent<\/span> on the content itself. This ensures that single quotes (or their equivalents \u2013 for there are several) in the attacker input are escaped properly.\nFor example:<\/p>\n
$attackerInput<\/span> =<\/span> “Hello’World”<\/span> <\/span><\/p>\n
$escapedAttackerInput<\/span> =<\/span> “‘”<\/span> +<\/span> <\/span><\/p>\n
\u00a0\u00a0\u00a0 [<\/span>Management.Automation.Language.CodeGeneration<\/span>]::<\/span> <\/span><\/p>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 EscapeSingleQuotedStringContent($attackerInput<\/span>) +<\/span> “‘”<\/span> <\/span><\/p>\n
$newScript<\/span> =<\/span> “Write-Host <\/span>$escapedAttackerInput<\/span>“<\/span> <\/span><\/p>\n
Invoke-Expression<\/span> $newScript<\/span><\/span><\/p>\n
Safe escaping of content to be included within block comments, format strings, or variable names is also supported.<\/p>\n
Constrained PowerShell<\/h2>\n
When a system is sensitive, one of the most powerful ways to limit the damage an attack can have is to reduce the capabilities of that attack. Windows\u2019 security controls come in many forms \u2013 creating a hierarchy of protections that incrementally add value.<\/p>\n\n\n\n\n\n\n
\n
Control<\/p>\n<\/td>\n
\n
Benefit<\/p>\n<\/td>\n
\n
Impact Without Control<\/p>\n<\/td>\n
\n
Limitations<\/p>\n<\/td>\n<\/tr>\n
\n
Antivirus \/ Antimalware<\/p>\n<\/td>\n
\n
Can limit the execution of malware known to the AV industry.<\/span><\/p>\n<\/td>\n
\n
Attacker can write and run any code, custom C++ applications, internet tools, etc.<\/span><\/p>\n<\/td>\n
\n
Can be disabled by administrators. AV signatures can be evaded if the attacker is capable of recompiling or modifying an application.<\/span><\/p>\n<\/td>\n<\/tr>\n
\n
Applocker in Deny Mode<\/p>\n<\/td>\n
\n
Can limit the execution of malware known to your organization.<\/span><\/p>\n<\/td>\n
\n
Attacker can write and run any code, custom C++ applications, etc., as long as they aren\u2019t well known attack tools or exploits.<\/span><\/p>\n<\/td>\n
\n
Can be disabled by administrators. Only blocks known evil \/ undesirable malware, can be bypassed with only minor application changes.<\/span><\/p>\n<\/td>\n<\/tr>\n
\n
Applocker in Allow Mode<\/p>\n<\/td>\n
\n
Can prevent the execution of unknown \/ unapproved applications.<\/span><\/p>\n<\/td>\n
\n
Attacker can write arbitrary custom applicatons, as long as they are not detected by AV or Applocker Deny rules.<\/span><\/p>\n<\/td>\n
\n
Can be disabled by administrators. Attacker can still leverage in-box tools like VBScript, Office macros, HTA applications, local web pages, PowerShell, etc.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\n
These protections are, of course, in addition to the regular Windows user permissions model. Applications don\u2019t need to prevent users from modifying system-wide registry keys because Windows itself enforces those protections.\nThe strongest form of protection is when a system employs AppLocker in \u2018Allow Mode\u2019, where only specific known applications are allowed to run.\nPrior to PowerShell version 5, a limitation of AppLocker\u2019s \u2018Allow Mode\u2019 was that interactive PowerShell input was not subject to this policy. While Allow Mode might prevent unknown PowerShell scripts from running, it would not prevent the equivalent commands entered at an interactive prompt.\nIn version 5, PowerShell now reduces its functionality to \u201cConstrained Mode\u201d for both interactive input and user-authored scripts when it detects that PowerShell scripts have an \u2018Allow Mode\u2019 policy applied to them. Constrained PowerShell limits the language mode to Constrained Language (as described in about_Language_Modes<\/a>), a mode first introduced for Windows RT.\nConstrained Language doesn\u2019t limit the capability of the core PowerShell language \u2013 familiar techniques such as variables, loops, and functions are all supported. It does, however, limit the extended language features that can lead to unverifiable code execution such as direct .NET scripting, invocation of Win32 APIs via the Add-Type cmdlet, and interaction with COM objects.\nScripts that are allowed by the AppLocker policy (for example: signed by the enterprise\u2019s trusted code signing certificate, or in a trusted directory) are not subject to Constrained Language. They have access to the extended capabilities of the PowerShell language disallowed by Constrained Language. This includes unverifiable extensions such as .NET scripting, and invocation of Win32 APIs.\nFor more information on configuring AppLocker, see https:\/\/technet.microsoft.com\/en-us\/library\/dd723678(v=ws.10).aspx<\/a>.\nHere\u2019s an example PowerShell command that lets you experiment with AppLocker in \u2018Allow Mode\u2019 for all scripts (i.e.: blocking all VBScripts, batch files, and PowerShell scripts by default), and then allows only PowerShell scripts from c:\\trusted<\/span> to run.<\/p>\n
PS C:\\> <\/span>$whitelistApplockerPolicy<\/span> =<\/span> New-AppLockerPolicy<\/span> -RuleType<\/span> Path <\/span>-FileInformation<\/span> “c:\\trusted\\*.ps1”\n<\/span>PS C:\\> <\/span>$existingApplockerPolicy<\/span> =<\/span> Get-AppLockerPolicy<\/span> \u2013Local\n<\/span>PS C:\\> <\/span>Set-AppLockerPolicy<\/span> $whitelistApplockerPolicy\n<\/span>PS C:\\> <\/span>powershell\n<\/span>Windows PowerShell\nCopyright (C) 2015 Microsoft Corporation. All rights reserved.\n<\/span>\nPS C:\\> $executionContext.SessionState.LanguageMode\nConstrainedLanguage<\/span><\/p>\n
PS C:\\> [Math]::Sqrt([Math]::Pi)\n<\/span>Cannot invoke method. Method invocation is supported only on core types in this language mode.\n<\/span>At line:1 char:1\n+ [Math]::Sqrt([Math]::Pi)\n+ ~~~~~~~~~~~~~~~~~~~~~~~~\n+ CategoryInfo\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : InvalidOperation: (:) [], RuntimeException\n+ FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage<\/span>\nPS C:\\> ‘[Math]::Sqrt([Math]::Pi)’ > c:\\trusted\\trusted.ps1\nPS C:\\> c:\\trusted\\trusted.ps1\n1.77245385090552<\/span>\nPS C:\\> exit\nPS C:\\>\u00a0Set-AppLockerPolicy<\/span>\u00a0$existingApplockerPolicy<\/span>\nBeware \u2013 if users can add or edit files in c:\\trusted<\/span>, then this policy offers no protection. Users in that situation can simply put scripts in that directory to bypass the policy. Also, if your AppLocker policy doesn\u2019t similarly limit executables, then this policy offers no protection. Users in that situation can simply run an executable to bypass the policy.<\/p>\n
In order to enforce its policies, AppLocker requires the <\/i>AppIDSvc<\/span> service to be running. When enabling a policy, be sure to set the service to Auto Start. <\/i><\/p>\n
As mentioned previously, Constrained PowerShell layers on top of the Windows permissions model. Because of that, it (like AppLocker) should be applied to regular user accounts and not system administrators. Administrator accounts can bypass the policy by simply changing or disabling it.<\/p>\n
Protected Event Logging<\/a><\/h2>\n
One concern when increasing the amount of logging on a system is the danger that logged content may contain sensitive data. For example, if you log the content of every PowerShell script that was run, there is the possibility that a script may contain credentials or other sensitive data.\nIf an attacker later compromises a machine that has logged this data, it may provide them with additional information with which to extend their reach.\nTo prevent this dilemma, Windows 10 introduces Protected Event Logging. Protected Event Logging lets participating applications encrypt sensitive data as they write it to the event log. You can then decrypt and process these logs once you\u2019ve moved them to a more secure and centralized log collector.\nOne common technique to move event logs to a more secure and centralized log collector is built in to Windows: Windows Event Forwarding. A great document on setting up Windows Event Forwarding is available from the NSA: \u201cSpotting the Adversary with Windows Event Log Monitoring<\/a>\u201d. Other options are System Center Operations Manager, or commercially available Security Information and Event Management (SIEM) systems.<\/p>\n
In Windows 10, PowerShell is the only application that participates in Protected Event Logging. <\/i><\/p>\n
Protected Event Logging protects event log content through the IETF Cryptographic Message Syntax (CMS) standard. The CMS encryption standard implements public key cryptography, where the keys used to encrypt content (the public key<\/i>) and the keys used to decrypt content (the private key<\/i>) are separate.\nYour public key can be shared widely, and is not sensitive data. If any content is encrypted with this public key, only your private key can decrypt it. For more information about Public Key Cryptography, see: http:\/\/en.wikipedia.org\/wiki\/Public-key_cryptography<\/span><\/a>.\nWhen you implement a protected event logging policy, you deploy a public key to all machines that have event log data you want to protect. You retain the corresponding private key to post-process the event logs at a more secure location such as a central event log collector, or SIEM aggregator.\nTo enable Protected Event Logging, enable the \u2018Enable Protected Event Logging\u2019 feature in Group Policy through Windows Components -> Administrative Templates -> Event Logging<\/span>. This setting requires an encryption certificate, which you can provide in one of several forms:<\/p>\n