book

PowerShell Automation and Scripting for Cybersecurity

Name: PowerShell Automation and Scripting for Cybersecurity
Author: Miriam C. Wiesner
ISBN: 9781800566378

by Miriam C. Wiesner

August 2023

Intermediate to advanced

572 pages

14h 11m

English

Packt Publishing

Read now

Unlock full access

PowerShell Automation and Scripting for Cybersecurity
ForewordPraise for PowerShell Automation and Scripting for CybersecurityContributorsAbout the authorAbout the reviewers
Preface
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesConventions usedGet in touchShare Your ThoughtsDownload a free PDF copy of this book
Part 1: PowerShell Fundamentals
Chapter 1: Getting Started with PowerShell
Technical requirementsWhat is PowerShell?The history of PowerShellWhy is PowerShell useful for cybersecurity?Getting started with PowerShellWindows PowerShellPowerShell CoreExecution PolicyHelp systemPowerShell versionsPowerShell editorsSummaryFurther reading
Chapter 2: PowerShell Scripting Fundamentals
Technical requirementsVariablesData typesAutomatic variablesEnvironment variablesReserved words and language keywordsVariable scopeOperatorsComparison operatorsAssignment operatorsLogical operatorsControl structuresConditionsLoops and iterationsNaming conventionsPowerShell profilesUnderstanding PSDrives in PowerShellMaking your code reusableCmdletsFunctionsThe difference between cmdlets and script cmdlets (advanced functions)AliasesModulesSummaryFurther reading
Chapter 3: Exploring PowerShell Remote Management Technologies and PowerShell Remoting
Technical requirementsWorking remotely with PowerShellPowerShell remoting using WinRMWindows Management Instrumentation (WMI) and Common Information Model (CIM)Open Management Infrastructure (OMI)PowerShell remoting using SSHEnabling PowerShell remotingEnabling PowerShell remoting manuallyConfiguring PowerShell Remoting via Group PolicyPowerShell endpoints (session configurations)Connecting to a specified endpointCreating a custom endpoint – a peek into JEAPowerShell remoting authentication and security considerationsAuthenticationAuthentication protocolsBasic authentication security considerationsPowerShell remoting and credential theftExecuting commands using PowerShell remotingExecuting single commands and script blocksWorking with PowerShell sessionsBest practicesSummaryFurther reading
Chapter 4: Detection – Auditing and Monitoring
Technical requirementsConfiguring PowerShell Event LoggingPowerShell Module LoggingPowerShell Script Block LoggingProtected Event LoggingPowerShell transcriptsAnalyzing event logsFinding out which logs exist on a systemQuerying events in generalWhich code was run on a system?Downgrade attackEventListGetting started with loggingAn overview of important PowerShell-related log filesIncreasing log sizeSummaryFurther reading
Part 2: Digging Deeper – Identities, System Access, and Day-to-Day Security Tasks
Chapter 5: PowerShell Is Powerful – System and API Access
Technical requirementsGetting familiar with the Windows RegistryWorking with the registrySecurity use casesUser rightsConfiguring access user rightsMitigating risks through backup and restore privilegesDelegation and impersonationPreventing event log tamperingPreventing Mimikatz and credential theftSystem and domain accessTime tamperingExamining and configuring user rightsBasics of the Windows APIExploring .NET Framework.NET Framework versus .NET CoreCompile C# code using .NET FrameworkUsing Add-Type to interact with .NET directlyLoading a custom DLL from PowerShellCalling the Windows API using P/InvokeUnderstanding the Component Object Model (COM) and COM hijackingCOM hijackingCommon Information Model (CIM)/WMINamespacesProvidersEvents subscriptionsMonitor WMI/CIM event subscriptionsManipulating CIM instancesEnumerationWhere is the WMI/CIM database located?Running PowerShell without powershell.exeUsing “living off the land” binaries to call assembly functionsBinary executablesExecuting PowerShell from .NET Framework using C#SummaryFurther reading
Chapter 6: Active Directory – Attacks and Mitigation
Technical requirementsIntroduction to Active Directory from a security point of viewHow attacks work in a corporate environmentADSI, ADSI accelerators, LDAP, and the System.DirectoryServices namespaceEnumerationEnumerating user accountsEnumerating GPOsEnumerating groupsPrivileged accounts and groupsBuilt-in privileged groups in ADPassword sprayingMitigationAccess rightsWhat is a SID?Access control listsOU ACLsGPO ACLsDomain ACLsDomain trustsCredential theftAuthentication protocolsAttacking AD authentication – credential theft and lateral movementMitigationMicrosoft baselines and the security compliance toolkitSummaryFurther reading

Chapter 7: Hacking the Cloud – Exploiting Azure Active Directory/Entra ID
Technical requirementsDifferentiating between AD and AADAuthentication in AADDevice identity – connecting devices to AADHybrid identityProtocols and conceptsPrivileged accounts and rolesAccessing AAD using PowerShellThe Azure CLIAzure PowerShellAttacking AADAnonymous enumerationPassword sprayingAuthenticated enumerationCredential theftToken theftConsent grant attack – persistence through app permissionsAbusing AAD SSOExploiting Pass-through Authentication (PTA)MitigationsSummaryFurther reading
Chapter 8: Red Team Tasks and Cookbook
Technical requirementsPhases of an attackCommon PowerShell red team toolsPowerSploitInvoke-MimikatzEmpireInveighPowerUpSQLAADInternalsRed team cookbookReconnaissanceExecutionPersistenceDefense evasionCredential accessDiscoveryLateral movementCommand and Control (C2)ExfiltrationImpactSummaryFurther reading
Chapter 9: Blue Team Tasks and Cookbook
Technical requirementsProtect, detect, and respondProtectionDetectionResponseCommon PowerShell blue team toolsPSGumshoePowerShellArsenalAtomicTestHarnessesPowerForensicsNtObjectManagerDSInternalsPSScriptAnalyzer and InjectionHunterRevoke-ObfuscationPosh-VirusTotalEventListJEAnalyzerBlue team cookbookChecking for installed updatesChecking for missing updatesReviewing the PowerShell history of all usersInspecting the event log of a remote hostMonitoring to bypass powershell.exeGetting specific firewall rulesAllowing PowerShell communication only for private IP address rangesIsolating a compromised systemChecking out installed software remotelyStarting a transcriptChecking for expired certificatesChecking the digital signature of a file or a scriptChecking file permissions of files and foldersDisplaying all running servicesStopping a serviceDisplaying all processesStopping a processDisabling a local accountEnabling a local accountDisabling a domain accountEnabling a domain accountRetrieving all recently created domain usersChecking whether a specific port is openShowing TCP connections and their initiating processesShowing UDP connections and their initiating processesSearching for downgrade attacks using the Windows event logPreventing downgrade attacksSummaryFurther reading
Part 3: Securing PowerShell – Effective Mitigations In Detail
Chapter 10: Language Modes and Just Enough Administration (JEA)
Technical requirementsWhat are language modes within PowerShell?Full Language (FullLanguage)Restricted Language (RestrictedLanguage)No Language (NoLanguage)Constrained Language (ConstrainedLanguage)Understanding JEAAn overview of JEAPlanning for JEARole capability fileSession configuration fileDeploying JEAConnecting to the sessionSimplifying your deployment using JEAnalyzerConverting script files to a JEA configurationUsing auditing to create your initial JEA configurationLogging within JEA sessionsOver-the-shoulder transcriptionPowerShell event logsOther event logsBest practices – avoiding risks and possible bypassesSummaryFurther reading
Chapter 11: AppLocker, Application Control, and Code Signing
Technical requirementsPreventing unauthorized script execution with code signingControlling applications and scriptsPlanning for application controlBuilt-in application control solutionsGetting familiar with Microsoft AppLockerDeploying AppLockerAudit AppLocker eventsExploring Windows Defender Application ControlCreating code integrity policiesVirtualization-based security (VBS)Deploying WDACHow does PowerShell change when application control is enforced?Further reading
Chapter 12: Exploring the Antimalware Scan Interface (AMSI)
Technical requirementsWhat is AMSI and how does it work?Why AMSI? A practical exampleExample 1Example 2Example 3Example 4Example 5Example 6Bypassing AMSIPreventing files from being detected or disabling AMSI temporarilyObfuscationBase64 encodingSummaryFurther reading
Chapter 13: What Else? – Further Mitigations and Resources
Technical requirementsSecure scriptingPSScriptAnalyzerInjectionHunterExploring Desired State ConfigurationDSC 1.1DSC 2.0DSC 3.0ConfigurationHardening systems and environmentsSecurity baselinesApplying security updates and patch compliance monitoringAvoiding lateral movementMulti-factor authentication for elevationTime-bound privileges (Just-in-Time administration)Attack detection – Endpoint Detection and ResponseEnabling free features from Microsoft Defender for EndpointSummaryFurther reading
Index
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youShare Your ThoughtsDownload a free PDF copy of this book

Content preview from PowerShell Automation and Scripting for Cybersecurity

Preface

PowerShell is everywhere – it is preinstalled on every modern Windows operating system. On the one hand, this is great for administrators, as this enables them to manage their systems out of the box, but on the other hand, adversaries can leverage PowerShell to execute their malicious payloads.

PowerShell itself provides a variety of features that can not only help you to improve the security of your environment but also help you with your next red team engagement. In this book, we will look at PowerShell for cybersecurity from both sides of the coin – attacker and defender, red and blue team. By reading this book, you’ll gain a deep understanding of PowerShell’s security capabilities and how to use them.

You will learn that PowerShell ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781800566378

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

PowerShell Automation and Scripting for Cybersecurity

by Miriam C. Wiesner

Preface

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.