堆栈内存溢出
  简体   繁体   English

防止绕过PowerShell执行策略

[英]Prevent bypassing PowerShell execution policy

 原文  2017-03-13 07:32:22       powershell/ malware/ executionpolicy

问题描述

We have PowerShell installed on our RDS environment. 我们在RDS环境中安装了PowerShell。 It's currently being used for tasks like remote management and App-V virtual application publishing. 它目前用于远程管理和App-V虚拟应用程序发布等任务。 To my understanding, it's fairly easy to bypass a restricted execution policy. 据我了解,绕过受限执行政策相当容易。

I can't however find any useful information on preventing bypassing the execution policy (or making it a lot harder). 但是,我无法找到有关防止绕过执行策略的任何有用信息(或使其变得更加困难)。 I was thinking about using file screening (AppLocker) for blocking PowerShell files, but I guess then attackers could just use a VBA script attached to an Microsoft Office file to execute a PowerShell script. 我正在考虑使用文件筛选(AppLocker)来阻止PowerShell文件,但我想攻击者可以使用附加到Microsoft Office文件的VBA脚本来执行PowerShell脚本。

For now we focus on monitoring, but I would like more attention on preventing. 目前我们专注于监控,但我希望更多关注预防。

2 个解决方案

解决方案1
 2  2017-03-13 07:41:33

What you are trying to achieve is pointless. 你想要实现的目标是毫无意义的。 There are dozens of ways to bypass execution policy. 有许多方法可以绕过执行策略。 In fact, it is not designed for security reasons. 实际上,它不是出于安全原因设计的。

  1. Install PS 5+ everywhere and implement script block logging. 在任何地方安装PS 5+并实现脚本块日志记录。 You can place all logs in a shared directory somewhere to analyze\\ingest them. 您可以将所有日志放在某个共享目录中以分析\\摄取它们。
  2. Remove PS2 everywhere 随处删除PS2
  3. Block macros from files from the web 阻止来自Web的文件中的宏
  4. Use application whitelisting 使用应用程序白名单

This should be a good place to start. 这应该是一个很好的起点。

PS: You can also monitor event 400, to detect bypasses to PS2 (which is something you don't want to be on your users' machines) when something reinstalls PS2 back. PS:您还可以监视事件400,以便在重新安装PS2时检测绕过PS2(这是您不希望在用户的计算机上进行的操作)。

解决方案2
 1 已采纳  2017-03-13 08:33:27

Actually, there are ways to prevent misuse of PowerShell (and making bypassing the execution policy quite useless): 实际上,有一些方法可以防止滥用PowerShell(并绕过执行策略毫无用处):

  1. Configure AppLocker: also lockdown scripts 配置AppLocker:也是锁定脚本
  2. Configure PowerShell to use Constrained Mode so .NET code can't be executed 将PowerShell配置为使用约束模式,以便无法执行.NET代码
  3. For your own scripts that should support .NET code you can sign the scripts with a code signers certificate (these will be allowed to run with constrained mode + AppLocker) 对于应该支持.NET代码的脚本,您可以使用代码签名者证书对脚本进行签名(允许这些脚本使用约束模式+ AppLocker运行)

Besides that, configuring logging of all PowerShell commands and sending them through a central location (so an IDS can monitor this) is also a good practice. 除此之外,配置所有PowerShell命令的日志记录并通过中心位置发送它们(因此IDS可以监控它)也是一种很好的做法。

See Detecting Offensive PowerShell Attack Tools for more detailed information about how to achieve this. 有关如何实现此目的的更多详细信息,请参阅检测攻击性PowerShell攻击工具

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 绕过 PowerShell 中的执行策略时是否存在任何安全风险? - is there any Security risks when bypassing the Execution Policy in PowerShell? Powershell:执行政策 - Powershell : Execution Policy Windows Powershell 策略执行绕过 - Windows Powershell policy execution bypass Powershell执行策略remotesigned矛盾? - Powershell execution policy remotesigned contradiction? powershell 执行策略不受限制不接受 - powershell execution policy unrestriction is not accepitng PowerShell-不受限制的执行策略问题 - PowerShell - Unrestricted execution policy Issue PowerShell:执行策略的变通办法以运行脚本 - PowerShell: Execution policy workarounds to run a script Powershell甚至无法执行设置执行策略 - Powershell cannot execute even set the execution policy 从 C# 启用 PowerShell 的执行策略 - Enabling execution policy for PowerShell from C# 如何从外部获取Powershell执行策略 - How to get Powershell execution policy externally
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM