30 March,2021 by Tom Collins
I use Powershell extensively in supporting SQL Server & other applications .Powershell is a significant component of the Windows operating system. I won't go into detail but there is also the progress of Powershell Core - which is the multiplatform option
Recently there has been rising concern about fileless malware access exploiting Powershell . There are significant benefits in exploiting Powershell - one of the main reason being that Powershell allows a deep access to Windows core. The very aspect of Powershell which makes it so valuable and effective in managing SQL Server and other Windows services also potentially opens up exploit possibilities
What are some action to take in securing Powershell?
Use Powershell v5
-> Anti-Malware Scan Interface - (AMSI) - it's an interface where applications can scan script content for malicious intent. This allows sending specific data to AMSI functions to identify if its malicious or not. Specifically - when a Powershell process is created AMSI.DLL is loaded from local disk to its address space
There are ways around AMSI - but it offers a starting point
With Windows 2016/2019 - Windows Defender can be installed as an added server feature:
Install-WindowsFeature-Name Windows-Server-Antimalware
--to display a list of cmdlets in the Defender module
Get-Command -Module Defender
Get-MpPreference - gets the preferences for the Windows Scan Defender scans & updates
--check Windows Defender is running
Get-service Windefend
-> Script block logging - Logs the Powershell code, think of it as an audit trail . Enable by either a registry setting or Group Policy
->Use the Start-Transcript command \ cmdlet - This Powershell cmdlet creates a record of all of a Powershell session
->Constrained Language Mode - The purpose is to support daily administrative tasks but restrict access to more sensitive cmdlets.
None of these methods is foolproof and can be exploited. They have to be viewed within the context of an overall security policy. Random access to underlying Windows APIs particuarly on critical database servers has the potential to disable an organisation. There is a wider conversation required about the trust.
Zero trust is an idea increasingly getting traction - the idea that an organisation shouldn't automatically trust any entity inside or outside the organisation - and therefore everything must be verified prior to gaining access to a system
Read more on Powershell & Security
Powershell,PSEexec and lock pages in memory – made easy
Powershell - run script on all sql servers
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Posted by: |