search

HotCakeX / Harden-Windows-Security

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
https://hotcakex.github.io
MIT License
1.87k stars 148 forks source link

Against script injections in PowerShell #59

Closed keneos-dev closed 1 year ago

keneos-dev commented 1 year ago

Script injections capable of bypassing Windows Defender with all the security and cloud options enabled are easy to find. Among its recommendations on the subject, Microsoft recommends installing and configuring InjectionHunter. Constrained language mode is also mentioned.

HotCakeX commented 1 year ago

Hi, There is no problem or concern about it. let me explain in details,

In the Medium post he says "On Windows 10 victim, I have all the security options enabled, and it’s fully updated and patched."

But all he shows is this screenshot

image

But that's not even half of the all the security options available on Windows 10.

All of those shown in the screenshot, and a lot more, are already enabled by default on the latest Windows 11 update.

He again incorrectly mentions the same thing further down in his post "All the security options are enabled while we still have the shell running on our victim machine, thus indicating that the payload is undetected."


Another problem with that post. AmsiTrigger_x64.exe is required to exist on the victim's computer. That's not going to happen with this Windows hardening script and all the features it turns on.

This is the SmartScreen message for people trying to download it:

image

Users must intentionally download that tool, and go out of their way to force Edge to download it, which means they do want to be compromised at this point.

image

Also that tool is unsigned, that's another red flag.


The web page you linked to is correct about PowerShell constrained language mode https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/

But as it mentions, it should be used with WDAC to be effective, and my repository has a lot of content about it, especially the WDACConfig module.

Neither the module nor the script uses any unsafe methods as far as I know. The only time invoke-expression is used is on the GitHub Readme page itself for easier/quicker consumption but there is also option to use PowerShell gallery so it can be completely avoided.

This page is good too, explaining how not to use unsafe stuff, I'll try the Injection Hunter module, Thanks! https://learn.microsoft.com/en-us/powershell/scripting/dev-cross-plat/security/preventing-script-injection?view=powershell-7.3


For a good penetration test, I've written the steps that need to be taken, Pen testers and Red teamers can use them for a realistic scenario

https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md#-for-penetration-testing-and-benchmarking

keneos-dev commented 1 year ago

Alright, thank you for this detailed answer! 🙏