The Christmas break is coming for most of us, let's take some time to share some tips to better protect our computers. The Microsoft Windows OS has plenty of tools that, when properly used, can reduce risks to be infected by a malware. As best practices, we must have antivirus enabled, we can deploy AppLocker to allow only authorized applications to be launched, we can restrict applications to be executed from locations like %APPDATA% or %TEMP% but they are tools that are much more difficult to restrict on a regular host like... Powershell! If you uninstall Powershell from a modern Windows version, you’ll simply miss nice features. That's why, in many cases, a simple uninstall is not possible. That’s also the reason why Powershell remains a nice first stage infection method:
Windows has a built-in firewall that provides interesting features. You can not only restrict traffic based at layer 3: from <ip>:<port> to <ip>:<port> but you can also restrict traffic based on application. Microsoft recommands to enable this firewall (and you receive continuous notifications when it's not). Let’s create two rules. The first one allow Powershell to access our local subnet and the second one drops any traffic C:\> netsh advfirewall firewall add rule name=“PS-Allow-LAN" dir=out \ remoteip=localsubnet action=allow program="c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe" \ enable=yes C:\> netsh advfirewall firewall add rule name=“PS-Deny-All" dir=out \ action=block program="c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe" \ enable=yes Of course, we can have multiple Powershell binaries spread across the file system. Let’s add the above rules for all of them: C:\> for /R %f in (powershell*.exe) do ( netsh advfirewall firewall add rule name=“PS-Allow-LAN (%f)" dir=out remoteip=localsubnet action=allow program=“%f" enable=yes netsh advfirewall firewall add rule name=“PS-Deny-All (%f)" dir=out action=block program=“%f" enable=yes ) Note that this technique does not block nasty malware like the one which was reported by Didier in a recent diary[1]. In this case, a copy of Powershell was used with a random name. If you use a proxy to access Internet resources, it could also be a good idea to restrict access to its IP address. Finally, Powershell (if run with enough privileges) can disable the local firewall: Set-NetFirewallProfile -Profiel Domain,Public,Private -Enabled False You can apply the same kind of control to other tools that should not access Internet resources. [1] https://isc.sans.edu/forums/diary/Maldoc+Duplicating+PowerShell+Prior+to+Use/24254 Xavier Mertens (@xme) |
Xme 492 Posts ISC Handler |
Subscribe |
Dec 19th 2018 11 months ago |
Your second example "PS-Deny-All" actually allows everything. "action=allow" instead of blocking "action=block"..
|
Paul 13 Posts |
Quote |
Dec 19th 2018 11 months ago |
You're right. Bad copy/paste from my script... Tx for the notification!
|
Xme 492 Posts ISC Handler |
Quote |
Dec 19th 2018 11 months ago |
Sign Up for Free or Log In to start participating in the conversation!