Monday, June 27, 2022

Securing Windows devices feat. PowerShell by NSA!



The National Security Agency (NSA) and cybersecurity partner agencies issued an advisory recommending system administrators to use PowerShell to prevent and detect malicious activity on Windows machines. 


PowerShell is frequently used in cyberattacks, leveraged mostly in the post-exploitation stage, but the security capabilities embedded in Microsoft’s automation and configuration tool can also benefit defenders in their forensics efforts, improve incident response, and to automate repetitive tasks. 


The NSA and cyber security centers in the U.S. (CISA), New Zealand (NZ NCSC), and the U.K. (NCSC-UK) have created a set of recommendations for using PowerShell to mitigate cyber threats instead of removing or disabling it, which would lower defensive capabilities. 




 “Blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide, and prevents components of the Windows operating system from running properly. Recent versions of PowerShell with improved capabilities and options can assist defenders in countering abuse of PowerShell"



LOWER RISK FOR ABUSE:

Reducing the risk of threat actors abusing PowerShell requires leveraging capabilities in the framework such as PowerShell remoting, which does not expose plain-text credentials when executing commands remotely on Windows hosts.

Administrators should be aware that enabling this feature on private networks automatically adds a new rule in Windows Firewall that permits all connections.

Customizing Windows Firewall to allow connections only from trusted endpoints and networks helps reduce an attacker’s chance for successful lateral movement.


For remote connections, the agencies advise using the Secure Shell protocol (SSH), supported in PowerShell 7, to add the convenience and security of public-key authentication:

  • remote connections don’t need HTTPS with SSL certificates
  • no need for Trusted Hosts, as required when remoting over WinRM outside a domain
  • secure remote management over SSH without a password for all commands and connections
  • PowerShell remoting between Windows and Linux hosts


Another recommendation is to reduce PowerShell operations with the help of AppLocker or Windows Defender Application Control (WDAC) to set the tool to function in Constrained Language Mode (CLM), thus denying operations outside the policies defined by the administrator.

“Proper configuration of WDAC or AppLocker on Windows 10+ helps to prevent a malicious actor from gaining full control over a PowerShell session and the host”


DETECTING MALICIOUS POWERSHELL USE:

Recording PowerShell activity and monitoring the logs are two recommendations that could help administrators find signs of potential abuse.

The NSA and its partners propose turning on features like Deep Script Block Logging (DSBL), Module Logging, and Over-the-Shoulder transcription (OTS).

The first two enable building a comprehensive database of logs that can be used to look for suspicious or malicious PowerShell activity, including hidden action and the commands and scripts used in the process.

With OTS, administrators get records of every PowerShell input or output, which could help determine an attacker’s intentions in the environment.


Administrators can use the table below to check the features that various PowerShell versions provide to help enable better defenses on their environment:

Security features present in PowerShell versions



The document the NSA released today states that “PowerShell is essential to secure the Windows operating system,” particularly the newer versions that dealt away with previous limitations.

When properly configured and managed, PowerShell can be a reliable tool for system maintenance, forensics, automation, and security.

The full document, “Keeping PowerShell: Security Measures to Use and Embrace” is available here [PDF].


Some Additional Resources:

Intel Insights: How to Secure PowerShell 

SANS course on securing PowerShell and Windows


Saturday, June 04, 2022

Cybersecurity Learning Resources!

A huge list of live and continuous vetted sources of learning resources for cybersecurity that will help u grow in ur cyber journey! Will keep adding here as i find more!

 

CISCO NETWORKING ACADEMY


Introduction to Cybersecurity | Duration: 6 hours 
Explore the exciting field of cybersecurity and why cybersecurity is a future-proof career 
English | Spanish | French | Portuguese 

Sunday, February 07, 2016

Monday, February 01, 2016

Have You Been Hacked ?

Use this Service from Roboform to check if you have been hacked, it covers many leaks and hacked databases. hope you use different passwords for different sites.

Saturday, December 26, 2015

Panopticlick !

When you visit a website, online trackers and the site itself may be able to identify you – even if you’ve installed software to protect yourself. It’s possible to configure your browser to thwart tracking, but many people don’t know how.
Panopticlick will analyze how well your browser and add-ons protect you against online tracking techniques. We’ll also see if your system is uniquely configured—and thus identifiable—even if you are using privacy-protective software.


Panopticlick is a research project of the Electronic Frontier FoundationLearn more

Monday, December 14, 2015

Security Features Check !!!

The Anti-Malware Testing Standards Organization (AMTSO™) was founded in May 2008 as an international non-profit association that focuses on the addressing the global need for improvement in the objectivity, quality and relevance of anti-malware testing methodologies.

The website hosts a number of easy to use tools to ensure that endpoint security products are configured to protect you from viruses, drive-by-downloads, potentially unwanted applications (PUA), archived malware and phishing and cloud attacks across major operating systems both desktop and mobile.

Feature Settings Check for your favorite Anti-Malware Desktop solution. With the different checks you can verify if the corresponding feature is configured properly within your Anti-Malware solution.


Feature Settings Check for your favorite Android based Anti-Malware Solution. With the different checks you can verify if the corresponding feature is configured properly within your Anti-Malware solution.



NOTE: None of the files downloaded nor pages visited are malicious by any means. It is only by industry-agreement that these innocent files are detected, solely for the purpose for the users to verify that their Android based Anti-Malware Solution is configured correctly and reacting as expected


  SOURCE:
.Amtso

Friday, January 23, 2015

Google reveals 3 Apple OS X Zero-day Vulnerabilities

Project Zero has yet again revealed three more zero-day vulnerabilities this time on OS X. The team has published three zero-day exploits for Apple’s OS X, with sufficient information for an experienced hacker to exploit the bugs in an attack. The details about the zero-days were released after alerting Apple to them. All three require physical access and cannot be exploited remotely.

Google reveals 3 Apple OS X Zero-day Vulnerabilities

Google's Project Zero is an initiative that identifies security holes in different software and calls on companies to publicly disclose and patch bugs within 90 days of discovering them. The company’s tight 90-days disclosure policy encourages all software vendors to patch their products before they could get exploited.