从传递参数的外部程序调用 Powershell 脚本

Question

I have an external program which calls a powershell script with a random secret identifier as a single argument. The powershell script needs to return the same random secret id when it calls the REST client on the external program.

Even though the powershell scripts are in secured location on the server, can anyone open the powershell and debug to get $args[0] value. The powershell script cannot run on its own as it needs get a secret id from external program.

I tried on as script as below

$gg = [Security.Principal.WindowsIdentity]::GetCurrent().Name 

$args[0]
$gg

The external program was calls the powershell script every 2 seconds and passed the secret identifier. During debugging - I could not value $args[0] .

Any feedback. Am I correct that no one can debug and get the value of the argument even in the de-bug?

Answer 1

As with security, it really depends on who you do trust, what kind of attacks you are preparing against and who is attacking you. Consider asking people at Security.SE for more details, but here are my two cents. The following list is by no means complete.

If the attacker has permissions to edit the script, it is trivial to add statements logging the secret key. If script editing is not possible, editing all users' profile $PSHOME\Microsoft.PowerShell_profile.ps1 could be leveraged to add snooping.

Even if the attacker doesn't have read or write permissions to the script location, they might have permissions to get process listing. Tools such as Sysinterals' Process Explorer can display each process' startup command - including any command line arguments.

Is the REST endpoint secured with HTTPS? If not, a network sniffer can pick up the secret key. Can the attacker inject a trusted certificate into the client? That's a fast way to MITM attacks, and key can be picked up via eavesdropping.