Cybersecurity Talk with Jeffrey Hicks: Is PowerShell a good hacking tool?

Jeff and Paula shared the stage at the latest NIC conference in Oslo — this is where this interview was shot. They were talking PowerShell Security — one of Jeff’s favorite subjects (to the point where he sometimes dreams in PowerShell, as he admitted….)

In this episode of Cybersecurity Talk, I’ve got Jeffrey Hicks. He’s an absolute professional in PowerShell. He’s got over 25 years of experience working in the infrastructure field. He’s also an MVP within the PowerShell specialization. You can find him on Twitter @JeffHicks and on his blog: jdhitsolutions.com

PowerShell – good hacking tool?

Paula:

I’m the penetration tester by myself, and I’ve noticed that PowerShell has become a popular tool for everybody, like administrators and also some other people from other specializations. I’m using PowerShell for hacking. But, do you think that PowerShell could be a good hacking tool? What’s your feeling about that?

Jeffrey:

You know, this comes up all the time. It came up when PowerShell first came out because that was, we had just come from the days of VBScript, and Melissa, ILOVEYOU and all those ugly things and everyone said, “Oh no, Microsoft’s going to do it to us again.” Well, yes and no. PowerShell is a terrific management tool. It’s for IT pros. They can get an enormous amount of work done with very little work.

Naturally, if you are a hacker or a bad actor, and you want to get a lot of bad things done really quickly, sure PowerShell is a great tool to use primarily because not only you have all the built-in command lists, but you have direct access to the demo train work. If you have a developer background, there’s an enormous amount of things you can do provided you first get access.

Once you have access, if you already own the box, the fact that you’re using PowerShell is really irrelevant, you’re already in bad doo-doo. But, sure, if I’m a bad guy, and I want to get a lot done quickly, including cleaning up my tracks, PowerShell is a perfect tool for that.

Paula:

Especially we’ve got so many different additional modules that you can get that are free to be downloaded that could help you out with more hacking activities.

Jeffrey:

Sure.

Paula:

There are some Mimikatz also written in PowerShell. You are able to steal credentials, just by using the PowerShell. What I personally think it’s cool, within the hacking case that PowerShell, it’s not something that’s recognized by anti-virus, right?

Jeffrey:

Right because it’s a management engine that PowerShell itself has to be hosted in an application. You can spin up a PowerShell engine just from a cmd prompt or even I think in memory, so anti-virus stuff can’t necessarily detect that. It’s not like people are going to be running scripts because that is something that maybe anti-virus could detect. But, no, the anti-virus can’t do that.

We do have new things in PowerShell version 5.1, where Microsoft has really ratcheted up the logging, so you may not necessarily be able to know immediately, “Op, I’ve been compromised,” but you’ll be able to go back after the fact and dig through all the logs and identify: what did they do, who did it, what machines did they access, how did they get in? At least from a forensic, recovery point of view, you’ve got much more information now than we ever did in the previous version of PowerShell.

Paula:

And, it’s so accessible, right?

Jeffrey:

It’s very accessible.

Do we need to be afraid of PowerShell?

Paula:

Yeah, I’m wondering because in general from the PowerShell perspective, that could be also the tool that people are afraid of. Administrators are afraid that PowerShell could be used in the enterprise to prevent from hacking since they will never see that.

Do you have any advice for such people?

Jeffrey:

You know, PowerShell by default has built-in safety guards. They’re not access security boundaries. They’re like the lid on the nuclear launch button. You got to lift up the lid, but you first have to have access to reach the lid to lift it up. There are things like script execution. By default, you cannot run a PowerShell script. Also, then if someone were getting a malicious script in email and the double click it, we’re not going to have a PowerShell script run.

You can certainly change that as an admin. If you don’t know what you’re doing and are totally incompetent and you should be fired and have something bad run, or if someone copies the contents of that script, opens the PowerShell prompt, pastes it in. If they have the permissions and the necessary tools, PowerShell will happily do that. That’s an easy fix. You don’t give your users, including admins, they’re not running with elevated credentials. So, their PowerShell sessions pretty much always open as lower admin. Even if the somehow unintended code was executed, they don’t have the necessary permissions to do that. That’s a great way to limit.Just look at common sense.

Let’s have look at Just Enough Administration

Paula:

Sounds good. There also is Just Enough Administration. What do you think about that one?

Jeffrey:

Just Enough Administration is a remoting tool — tool set actually — that is designed for admins to provide a more secure remoting environment. I mean, PowerShell, the way that it really shines in the enterprise is I can manage 1,000 servers all at once. I want to find query event logs, I need to check the system event log searching for, say maybe what’s on the server restarted, or some other indication that I’ve been compromised. PowerShell remoting makes it really easy.

However, by default, you have to be an admin, and you get access to everything. But, with JEA, you can create what’s called a constrained or delegated endpoint. I can still connect to a server but then I can say, “Only these people can connect to that endpoint and when they connect, they can only run these commands.”

Paula:

Which is pretty cool.

Jeffrey:

Even further, I can say, “You know what? They can run these commands, but they can only use these parameters and if these parameters, they can only be these set of values.” You can really restrict what they can do. We can take this even further in tying it in with the Just Enough Administration toolkit. There are two JEA tools I always get confused, where you can, in essence, push out an endpoint and get someone to say: “You have a half hour to go do your thing, then that endpoint is gone, and you no longer have access”.

PowerShell and remoting

Microsoft recognizes that there are certainly a lot of vulnerabilities. People can certainly take advantage of PowerShell and remoting, and we’re doing things to make that harder. Education is a big part of it. Another thing with remoting, since we mentioned it, is a lot of IT pros think that once they turn on PowerShell remoting, they’re done.

But it’s not. PowerShell remoting, turning that on, which you have to have that on now because there’s no way you can manage things in Windows. It is really only the first step. People forget, “Oh, well I could configure firewall rules, or use IPsec. There are all sorts of networking tools that we have. They totally forget, “Oh, it’s PowerShell, I’m done.” No. That’s really just the first step.

You don’t have to have all your servers accessible from every IP address from your environment. Right?

Paula:

That’s a good point.

Jeffrey:

I just want my domain admins, I know what their desktops are. Only they have access, so I can do things networking wise.

Paula:

You can trim that.

Jeffrey:

I can’t trim that, so that’s something that I think a lot of IT pros forget. They just see PowerShell. They get excited. They go:”Oh, remoting is turned on, I can access all these boxes, I’m good to go. If you really want to be secure, you have more work that you want to do.

How could PowerShell improve the infrastructure security?

Paula:

Yep, yeah, absolutely. What we also see from our side, that, for example, there are companies that want to implement code execution prevention solutions, and by default, even in Outlook or in Windows, you’ve got the possibility to turn on the default rules, as they call them. Default rules allowed to run everything that is in the Windows folder and everything that is in the program files folder.

They forgot that it could be also a dangerous tool if it’s in the user’s hands, and the user doesn’t know what to do. It’s still a user, but we can also, for example, encrypt the data with PowerShell and ask for a ransom. Just an idea we were also thinking about.

Okay, so what do you think, how PowerShell could improve infrastructure security and how to make it a good securing tool for our servers in order to be successful to win the battle against hackers?

Jeffrey:

All right, so a couple of things that come into my mind. First, PowerShell version 5.1 is now available including down-level down to 2008 R2, which hopefully that’s the minimum level that people are running on their servers. That is something that I would encourage people to deploy.

Check the README, so you’re not running on a server, that may have some special limitations, but that caveat aside, because with the 5.1 you will get all the latest security features like the logging and all of that. So, first thing, make sure you’re running the most current version of PowerShell. Another feature that I think could really fall into the security category is DSC: Desired State Configuration.

Paula:

It’s a great feature.

Jeffrey:

Because with DSC, I can create a configuration to say, “I want this server to look like this.” I want to have these servers, these registry keys, these features, whatever. I can either configure the server to pull it from a central server or push it to it. But, what’s key here is that I can configure that server and say, “Hey, check every 15 minutes and if something is out of compliance, out of the configuration, reset it.”

Paula:

That’s great.

Jeffrey:

DSC is really a framework. I have been told that there’s some part of the Department of Defense in the US and they use DSC. They’ve built some of their own tools, and they have a mechanism because they want to check faster than every 15 minutes, that if they detect that the server is out of compliance, they assume it’s been breached, and they kill it.

They have automated procedures to bring up a new server because they already know what it’s supposed to look like. It’s all automated, it’s like that. They may kill the server or take it offline, so they can analyze it later and say, “Okay, what happened? Was this a real problem or did some interns do something they weren’t supposed to do?” But, using DSC would be a great way to make sure that the server is always configured the way I want it to be.

Paula:

Which actually brings me to an interesting conclusion that DSC, for example, could be a part of the Incident Response Plan. For example, when we got a problem, we are getting hacked, like you said, one of the servers is affected. We just wipe it. We have the full comfort inside that we’ve got the solution that it’s working pretty good to make things up again, and we are back to operation.

Jeffrey:

The whole point that you will hear from Microsoft, this is from Jeffrey Snover is that IT pros need to start treating their servers like cattle, not like pets.

Paula:

Oh, that’s a good comparison.

The times when we were building the servers from the scratch…

Jeffrey:

For the longest time, and I’ve been in IT for over 25 years, we would build a server. It would take you a week to build a server. You have to order hardware, you got to put everything in, manually load the floppy disks to get everything. It would take a long time. You’d lovingly hand-craft that server. If something went wrong, “Oh, I’ll fix you, baby. You’ll be fine.”

We can’t do that anymore. For now, for one thing, servers are up in the cloud. They’re not down the hallway and all of that. Now we just decide, and we don’t give it fancy, beautiful names. It’s just a number. If the server is compromised or fails in a way, I don’t take the time to try to fix it. I just make hamburger and fire up a new machine and send the configuration and I know that I’m good to go. Absolutely.

One advice from Jeffrey Hicks for those who want to become IT pros

Paula:

That’s very cool. Here comes the challenging question. The question is: If we’ve got someone that is at the very beginning of their career, and they look at you and they’re like, “Oh, I want to be like him, I want to know all the PowerShell stuff and be a true geek,” what would you advise to such a person?

Jeffrey:

Certainly, there are lots of books and stuff. I actually have a page on my blog for Essential PowerShell Resources because I get that asked all the time. “What books am I’m supposed to look at? What videos?” and all that. Obviously, I’ve written and created a lot of that. The big thing about learning PowerShell is that it’s a language. It’s like if I were to try to learn Polish, I would need to use it every day in order to become fluent in it.

PowerShell is the same way. You have to find ways to use it every day. That’s the number one takeaway there.

Paula:

So, someone should just spend their time and be there every day, study, learn to read the books, et cetera?

Jeffrey:

Even if you do nothing more than reading the help topics on some command once a day.

Paula:

Okay. That could do. Yeah, like learning one word in a foreign language

Jeffrey:

Exactly. Learning something new. But you have to use it.

The advice for the more advanced ones…

Paula:

Sure, and what about the advanced guys. You’ve got an administrator and the infrastructure and he’s like knowing, of course, all that stuff that he manages, or she manages and basically this guy wants to know more in PowerShell, be better, be fluent. What kind of advice would you give to such person?

Jeffrey:

I’m going to give them actually kind of two little pieces of advice. One is, turn around and share your knowledge with the younger person, not only because that’s the right thing to do but also in the fact of trying to formulate your thoughts. “Okay, how am I going to communicate or share what I know?” You may realize, “Oh, maybe I don’t know that as well as I should. I need to go back and brush up.” You learn a bit more in trying to teach someone, you have no choice but to really learn it yourself.

That would be number one. The second is you just have to take this idea of using it every day to the next level. You need to be the person who is creating the DSC configurations, and the PowerShell tools that you’re using to monitor servers to provide the forensic analysis if you’ve been compromised.

You’ll need to learn new things like the .NET framework. You’ll need to learn some of the advanced. You need to start thinking. Go to some of the secret hacker conferences and learn the bad ways and find ways, “Okay, how can I do that in PowerShell?” Try to be more proactive.

Paula:

There’s like a little saying that if you feel like you know something, you can test it perfectly by explaining this to your grandfather. Then the newest technologies, my grandfather is going to be like, “What are you talking about?” But maybe it’s the same like this with the PowerShell? You have to be able to explain it to the younger.

Jeffrey:

Right, if you cannot explain it to someone or teach someone, then you don’t know it well enough.

Paula:

Exactly, exactly.

When you dream in Powershell…

Jeffrey:

I’ve been using PowerShell since it was in beta. I co-wrote one of the first books. I go to bed, and I dream, “What can I do in PowerShell.”

Paula:

Do you dream in PowerShell?

Jeffrey:

I do actually dream in PowerShell.

Paula:

Seriously? This is so funny. Can I ask you, what is like?

Jeffrey:

I will dream about something, some script that I’m working on. Or some project I want to work on the next day. I’m like, “Oh, oh, that’s how I’m going to get around that problem.” Yes, so, yes I do. When you are learning a foreign language, if you start dreaming in that language, then you have learned it.

Paula:

Well, I dream in English, for example, because I work in English all the time. When I go to bed I, I think like, “Okay,” I’m starting in English, then I realize, “Well, hey, wait, I’m Polish, so maybe I should think in my native language.” But, that doesn’t work like that, yeah?

Jeffrey:

That’s an indication that you have really.

Paula:

You are deep inside that.

Jeffrey:

You have absorbed it and you know what it is. Yes, I’m confessing to everyone that I dream in PowerShell.

Jeffrey Hicks

Learn PowerShell in a month of lunches

Paula:

That’s good. Okay, so thanks Jeff for the nice insights. I think we can summarize our interview a little bit. We were talking that:

  • PowerShell could be a hacking tool, but it’s more for admin.
  • It could also be used for the bad guys if we’ve got the possibility to use it at the certain hacking stage.
  • Just Enough Administration is also a very nice solution to limit the functionality of the PowerShell in someone’s hand.
  • It’s a bit challenge to configure the Desired State Configuration, because there are so many different moving parts, and it is just a framework.

Jeffrey:

It’s not just a turnkey, I can do a configuration, I’m done. There’s lots of moving pieces and you have to decide how it’s going to fit into your environment. Yeah, DSC is a key part here.

Paula:

It’s a key part and in order to be able to be fluent in PowerShell, you have to spend at least hour per day maybe if we could summarize it this way, focus on the different kinds of PowerShell functions and so on, or at least to know one CMD length per day.

Jeffrey:

One of the most popular books in PowerShell is one I co-wrote with Don Jones:  “Learn Windows PowerShell in a month of lunches”.

he promises is you read a chapter over your lunch break because they’re short enough. You read a chapter, do an exercise, and over the course of a month, you should then know enough PowerShell to at least be proficient. You won’t know it 100%, but you will know enough it get started.

Paula:

Thank you so much, hopefully, you guys like it and make sure that if you’re going to have some questions to Jeff or about this interview or to myself, make sure you going to post them in the comments section below.

 

 

Comments