I have been extremely lucky to present to a wide range of audiences on the security challenges that PowerShell brings to our organisations. From security groups to architecture to infrastructure and now development focused groups.
As promised, here is the content, code and links to more information.
If you want to take a look at the "malware" script that I created, you can find that up GitHub here. The repository includes two files, an example of the Excel spreadsheet which contains a macro that would infect a system, and then the SystemInformation.ps1, which is the actual "malware" that is the basis for all of my demonstrations.
I mentioned Matt Graeber's write up on PowerWorm, and this can be found here at his site, www.exploit-monday.com. Matt has rewritten the code to be more safe, as well as provide some tools to detect and remove PowerWorm infections and this can be found on his GitHub.
Another important set of resources are the 5 part series from the Microsoft's Hey Scripting Guy.
- Use PowerShell for Network Host and Port Discovery Sweeps
- Use PowerShell to Security Test SQL Server and SharePoint
- Use PowerShell to Discover Network Information from Shares
- Use PowerShell to Duplicate Process Tokens via P/Invoke
- Use PowerShell to Decrypt LSA Secrets from the Registry
I recommend reading the final two parts, I have made use of the code from these within SystemInformation.ps1.