Tag Archives: Security

PowerShell and Security – Presentation at iSense

As mentioned in the previous blog post I was invited to speak at iSense to talk about PowerShell and Security. This event was fully by sponsored by iSense who provided the attendees with a great experience. Before my session I was briefly interviewed and the interview, in Dutch, will be available soon.

Security is a topic that continues to make headlines around the world and as a result, PowerShell is mentioned more often either as an method to exploit or to prevent and secure your system. In this presentation I showed how PowerShell can be configured to provide insights in what scripts and tools are running in your environment and how to secure your PowerShell endpoints using Just Enough Administration, JEA.

The audience after 90 minutes of PowerShell and Security

The audience after 90 minutes of PowerShell and Security

After the presentation I received a lot of questions about PowerShell in general and the Dutch PowerShell User Group, we will soon be holding another PowerShell User Group meeting, for more information visit the following link: 10th DuPSUG Meeting, there are at the time of writing still a few tickets available for this event on the 9th of March.

Furthermore, at the Dutch PowerShell User Group we are working on putting out some events that are a bit more beginner oriented. For anyone who is interested in learning more about PowerShell stay tuned as we have a lot of good interesting stuff in the works.

The presentation deck and the slides are as always available on GitHub:
GitHub – Jaap Brasser – Events – iSense2017

For more information I have provided an overview of all the links in this article:

PowerShell and Security @ iSense
GitHub – Slides and code
iSense
Dutch PowerShell User Group
IT Future Lab – PowerShell and Security

Next week: Presenting at iSense on PowerShell and Security

Recently I was invited by iSense to come and speak at one of their technical evenings. On the 16th of February I will be speaking on PowerShell and Security. To quote a short excerpt from the iSense website:

This demo-rich session goes into detail on some best practices on securing PowerShell and highlights and the steps that have been taken in PowerShell 5.0 that allow you to do so. In the first section of this evening we will touch some of the basic concepts of security that we have available to us in PowerShell. Then Jaap will go into detail how you can correctly implement them by demoing the functionality.

For more information on this head over to:
PowerShell and Security – The how, what and why

There are still tickets available, so if you are interested in PowerShell, Security or a combination of both I would be more than happy to meet you there.

MS Fest Prague 2016 – Short Recap

msfest2016

Last weekend I had the pleasure of being invited to speak at MS Fest in Prague. This was the second year in a row for me that I was speaking at this event and it was once again great to attend and to have the opportunity to meet with people from the other side of Europe.

During the conference I did talked about PowerShell security in which I discussed the different kinds of logging that are available in PowerShell and how they can be utilized to find out what is happening on your system. Furthermore we went into Ransomware, what it is, how it operators and what we can do about it.

My slides and code are, as always, available on my GitHub account:

GitHub – Jaap Brasser – Events – MS Fest Praha

To give you an impression of the event I have included some photos taken during MS Fest:

 

Quickly and securely storing your credentials – PowerShell

During the last PowerShell event I quickly demo’ed the Export-CliXml functionality to quickly, easily, and most importantly, securely store credentials to a file. In this article I will describe the following three steps:

  • Store credentials in a variable
  • Export the variable to a file
  • Import the credential object from the file into a variable

To get a credential object we can either manually create one or use the Get-Credential cmdlet to prompt for the account details:

1
$Credential = Get-Credential

To store the credentials into a .cred file:

1
$Credential | Export-CliXml -Path "${env:\userprofile}\Jaap.Cred"

And to load the credentials from the file and back into a variable:

1
2
$Credential = Import-CliXml -Path "${env:\userprofile}\Jaap.Cred"
Invoke-Command -Computername 'Server01' -Credential $Credential {whoami}

StoreCredentials

The advantage of this methodology is that you can leverage the versitility of PowerShell to ensure that the data is not only exported, but also stored in a secure manner using secure strings. It should be noted that these credential files that are created can only be opened by the same user on the same system. It can be used to store any type of credentials, both local accounts and domain accounts can be saved in this manner.

Note that you are not limited to storing a single set of credentials in this manner, you could use any number of accounts, for example the following example will prompt for 3 different sets and store them in a hash table. This can then be exported/imported in a similar manner:

1
2
3
4
5
6
7
8
9
10
$Hash = @{
    'Admin'      = Get-Credential -Message 'Please enter administrative credentials'
    'RemoteUser' = Get-Credential -Message 'Please enter remote user credentials'
    'User'       = Get-Credential -Message 'Please enter user credentials'
}
$Hash | Export-Clixml -Path "${env:\userprofile}\Hash.Cred"
$Hash = Import-CliXml -Path "${env:\userprofile}\Hash.Cred"
Invoke-Command -ComputerName Server01 -Credential $Hash.Admin -ScriptBlock {whoami}
Invoke-Command -ComputerName Server01 -Credential $Hash.RemoteUser -ScriptBlock {whoami}
Invoke-Command -ComputerName Server01 -Credential $Hash.User -ScriptBlock {whoami}

MSFest Prague 2015 – Slides and Code

MSFestBanner

At the end of November I had the pleasure to attend and speak at MSFest in Prague. This event aimed at the Czech IT Professional and Developer community had a wide variety of topics and I was asked to do two sessions on PowerShell. I presented the following two sessions:

  • PowerShell Security features and threat management
  • PowerShell Advanced Toolmaking

PowerShell Advanced Toolmaking

I have put the presentation and the code online in my Events GitHub repository.

All links in this article are available here:

Links in this Article
MS Fest Praha
Jaap Brasser – GitHub
MSFest Prague 2015 – Code and Slides

Experts Live event in the Netherlands

Experts_Live_website_logo

Today Experts Live is kicking off in one hour, this is the biggest community driven event for IT Professionals in the Netherlands. There are more than 40 technical sessions presented by community and technical leaders and I am proud to be presenting here on PowerShell today.

ExpertsLiveSpeakerInfo

If you are unable to join the event today I will be sure to I will share the materials I presented over the next couple of weeks. For more information about this event, please have a look at the site here:
www.expertslive.nl

My day at TechEd Pre-conference

Yesterday I attended the TechEd Europe 2013 Pre-conference. I had signed up for the ‘Lessons from the Field: Useful Hacker Techniques for Administrators’ session by Hasain Alshakarti, Paula Januszkiewicz and Marcus Murray. They were quite knowledgeable on the subject matter and presented their information in an interesting way.

To give a short overview of the topics that were covered:

  • Use a vulnerable .aspx page on an IIS server in combination with several methods of escalation of privilege to compromise a Active Directory domain.
  • Managed Service Accounts as a method to harden application servers
  • Abusing Direct Memory Access used by Firewire/Thunderbolt to compromise a fully patched Windows 8 machine using the Inception tool
  • Using offline registry to compromise a machine
  • Using Aerodump to snif and hack networks
  • www.cloudcracker.com is a website that cracks WPA2 passwords in twenty minutes
  • Using mimikatz to grab username and password from memory
  • Using findstr.exe to grab plain text passwords / hashed passwords from virtual machine memory snapshots
  • Core Impact Professional, a hacking / administrative tool that can useful in both scenarios. Either as a emergency response tool or as a malicious tool to take control of computers.
  • Rubberducky: A usb key that acts as a keyboard which can be used to bypass UAC and other security features to quickly install malware on a sytem.
  • Volitility a memory analysis tool which can be used to gather a variety of information from a dump file. Including passwords and credential hashes

Downloads for this session are available at:

http://sdrv.ms/11ka1Ju
http://cqure.pl
http://truesec.com