PowerShell automation and scripting for cybersecurity hacking and defense for red and blue teamers
Explore PowerShell's offensive and defensive capabilities to strengthen your organization's security Purchase of the print or Kindle book includes a free PDF eBook Key Features Master PowerShell for security by configuring, auditing, monitoring, exploiting, and bypassing defenses Research...
| Otros Autores: | , |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Birmingham, England :
Packt Publishing
[2023]
|
| Edición: | 1st ed |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009759339806719 |
Tabla de Contenidos:
- Cover
- Title Page
- Copyright and Credits
- Foreword
- Contributors
- Table of Contents
- Preface
- Part 1: PowerShell Fundamentals
- Chapter 1: Getting Started with PowerShell
- Technical requirements
- What is PowerShell?
- The history of PowerShell
- Why is PowerShell useful for cybersecurity?
- Getting started with PowerShell
- Windows PowerShell
- PowerShell Core
- Execution Policy
- Help system
- PowerShell versions
- PowerShell editors
- Summary
- Further reading
- Chapter 2: PowerShell Scripting Fundamentals
- Technical requirements
- Variables
- Data types
- Automatic variables
- Environment variables
- Reserved words and language keywords
- Variable scope
- Operators
- Comparison operators
- Assignment operators
- Logical operators
- Control structures
- Conditions
- Loops and iterations
- Naming conventions
- PowerShell profiles
- Understanding PSDrives in PowerShell
- Making your code reusable
- Cmdlets
- Functions
- The difference between cmdlets and script cmdlets (advanced functions)
- Aliases
- Modules
- Summary
- Further reading
- Chapter 3: Exploring PowerShell Remote Management Technologies and PowerShell Remoting
- Technical requirements
- Working remotely with PowerShell
- PowerShell remoting using WinRM
- Windows Management Instrumentation (WMI) and Common Information Model (CIM)
- Open Management Infrastructure (OMI)
- PowerShell remoting using SSH
- Enabling PowerShell remoting
- Enabling PowerShell remoting manually
- Configuring PowerShell Remoting via Group Policy
- PowerShell endpoints (session configurations)
- Connecting to a specified endpoint
- Creating a custom endpoint - a peek into JEA
- PowerShell remoting authentication and security considerations
- Authentication
- Authentication protocols
- Basic authentication security considerations.
- PowerShell remoting and credential theft
- Executing commands using PowerShell remoting
- Executing single commands and script blocks
- Working with PowerShell sessions
- Best practices
- Summary
- Further reading
- Chapter 4: Detection - Auditing and Monitoring
- Technical requirements
- Configuring PowerShell Event Logging
- PowerShell Module Logging
- PowerShell Script Block Logging
- Protected Event Logging
- PowerShell transcripts
- Analyzing event logs
- Finding out which logs exist on a system
- Querying events in general
- Which code was run on a system?
- Downgrade attack
- EventList
- Getting started with logging
- An overview of important PowerShell-related log files
- Increasing log size
- Summary
- Further reading
- Part 2: Digging Deeper - Identities, System Access, and Day-to-Day Security Tasks
- Chapter 5: PowerShell Is Powerful - System and API Access
- Technical requirements
- Getting familiar with the Windows Registry
- Working with the registry
- Security use cases
- User rights
- Configuring access user rights
- Mitigating risks through backup and restore privileges
- Delegation and impersonation
- Preventing event log tampering
- Preventing Mimikatz and credential theft
- System and domain access
- Time tampering
- Examining and configuring user rights
- Basics of the Windows API
- Exploring .NET Framework
- .NET Framework versus .NET Core
- Compile C# code using .NET Framework
- Using Add-Type to interact with .NET directly
- Loading a custom DLL from PowerShell
- Calling the Windows API using P/Invoke
- Understanding the Component Object Model (COM) and COM hijacking
- COM hijacking
- Common Information Model (CIM)/WMI
- Namespaces
- Providers
- Events subscriptions
- Monitor WMI/CIM event subscriptions
- Manipulating CIM instances
- Enumeration.
- Where is the WMI/CIM database located?
- Running PowerShell without powershell.exe
- Using "living off the land" binaries to call assembly functions
- Binary executables
- Executing PowerShell from .NET Framework using C#
- Summary
- Further reading
- Chapter 6: Active Directory - Attacks and Mitigation
- Technical requirements
- Introduction to Active Directory from a security point of view
- How attacks work in a corporate environment
- ADSI, ADSI accelerators, LDAP, and the System.DirectoryServices namespace
- Enumeration
- Enumerating user accounts
- Enumerating GPOs
- Enumerating groups
- Privileged accounts and groups
- Built-in privileged groups in AD
- Password spraying
- Mitigation
- Access rights
- What is a SID?
- Access control lists
- OU ACLs
- GPO ACLs
- Domain ACLs
- Domain trusts
- Credential theft
- Authentication protocols
- Attacking AD authentication - credential theft and lateral movement
- Mitigation
- Microsoft baselines and the security compliance toolkit
- Summary
- Further reading
- Chapter 7: Hacking the Cloud - Exploiting Azure Active Directory/Entra ID
- Technical requirements
- Differentiating between AD and AAD
- Authentication in AAD
- Device identity - connecting devices to AAD
- Hybrid identity
- Protocols and concepts
- Privileged accounts and roles
- Accessing AAD using PowerShell
- The Azure CLI
- Azure PowerShell
- Attacking AAD
- Anonymous enumeration
- Password spraying
- Authenticated enumeration
- Credential theft
- Token theft
- Consent grant attack - persistence through app permissions
- Abusing AAD SSO
- Exploiting Pass-through Authentication (PTA)
- Mitigations
- Summary
- Further reading
- Chapter 8: Red Team Tasks and Cookbook
- Technical requirements
- Phases of an attack
- Common PowerShell red team tools
- PowerSploit
- Invoke-Mimikatz.
- Empire
- Inveigh
- PowerUpSQL
- AADInternals
- Red team cookbook
- Reconnaissance
- Execution
- Persistence
- Defense evasion
- Credential access
- Discovery
- Lateral movement
- Command and Control (C2)
- Exfiltration
- Impact
- Summary
- Further reading
- Chapter 9: Blue Team Tasks and Cookbook
- Technical requirements
- Protect, detect, and respond
- Protection
- Detection
- Response
- Common PowerShell blue team tools
- PSGumshoe
- PowerShellArsenal
- AtomicTestHarnesses
- PowerForensics
- NtObjectManager
- DSInternals
- PSScriptAnalyzer and InjectionHunter
- Revoke-Obfuscation
- Posh-VirusTotal
- EventList
- JEAnalyzer
- Blue team cookbook
- Checking for installed updates
- Checking for missing updates
- Reviewing the PowerShell history of all users
- Inspecting the event log of a remote host
- Monitoring to bypass powershell.exe
- Getting specific firewall rules
- Allowing PowerShell communication only for private IP address ranges
- Isolating a compromised system
- Checking out installed software remotely
- Starting a transcript
- Checking for expired certificates
- Checking the digital signature of a file or a script
- Checking file permissions of files and folders
- Displaying all running services
- Stopping a service
- Displaying all processes
- Stopping a process
- Disabling a local account
- Enabling a local account
- Disabling a domain account
- Enabling a domain account
- Retrieving all recently created domain users
- Checking whether a specific port is open
- Showing TCP connections and their initiating processes
- Showing UDP connections and their initiating processes
- Searching for downgrade attacks using the Windows event log
- Preventing downgrade attacks
- Summary
- Further reading
- Part 3: Securing PowerShell - Effective Mitigations In Detail.
- Chapter 10: Language Modes and Just Enough Administration (JEA)
- Technical requirements
- What are language modes within PowerShell?
- Full Language (FullLanguage)
- Restricted Language (RestrictedLanguage)
- No Language (NoLanguage)
- Constrained Language (ConstrainedLanguage)
- Understanding JEA
- An overview of JEA
- Planning for JEA
- Role capability file
- Session configuration file
- Deploying JEA
- Connecting to the session
- Simplifying your deployment using JEAnalyzer
- Converting script files to a JEA configuration
- Using auditing to create your initial JEA configuration
- Logging within JEA sessions
- Over-the-shoulder transcription
- PowerShell event logs
- Other event logs
- Best practices - avoiding risks and possible bypasses
- Summary
- Further reading
- Chapter 11: AppLocker, Application Control, and Code Signing
- Technical requirements
- Preventing unauthorized script execution with code signing
- Controlling applications and scripts
- Planning for application control
- Built-in application control solutions
- Getting familiar with Microsoft AppLocker
- Deploying AppLocker
- Audit AppLocker events
- Exploring Windows Defender Application Control
- Creating code integrity policies
- Virtualization-based security (VBS)
- Deploying WDAC
- How does PowerShell change when application control is enforced?
- Further reading
- Chapter 12: Exploring the Antimalware Scan Interface (AMSI)
- Technical requirements
- What is AMSI and how does it work?
- Why AMSI? A practical example
- Example 1
- Example 2
- Example 3
- Example 4
- Example 5
- Example 6
- Bypassing AMSI
- Preventing files from being detected or disabling AMSI temporarily
- Obfuscation
- Base64 encoding
- Summary
- Further reading
- Chapter 13: What Else? - Further Mitigations and Resources
- Technical requirements.
- Secure scripting.
