At the DEFCON security conference last year, we presented the session: “Get $pwnd: Attacking Battle Hardened Windows Server“.
In this talk, we went through some of the incredibly powerful ways that administrators can secure their high-value systems (for example, Just Enough Administration) and also dove into some of the mistakes that administrators sometimes make when exposing their PowerShell code to an attacker. The most common form of mistake is script injection, where a script author takes a parameter value (supplied by an attacker) and runs it in a trusted context (such as a function exposed in a Just Enough Administration endpoint). Here’s an example:
There are many coding patterns that can introduce security flaws like this, all of which have secure alternatives. The presentation goes into these in great detail, and what we also promised to release is a tool to help you detect them as you are writing the scripts. We’ve now released this tool, and you can download it from the PowerShell Gallery:
Using it this way from the command line is an excellent way to automate security analysis during builds, continuous integration processes, deployments, and more.
Wouldn’t it be REALLY cool if you could detect these dangers while writing your scripts? I’m glad you asked!
PowerShell’s Visual Studio Code plugin already does live script analysis to help you discover issues like unassigned variables, and we can customize that rule set to include InjectionHunter capabilities. Here’s what Visual Studio Code looks like with this running:
Here’s how to get this on your system:
First, find out the location of the InjectionHunter module. You can do this by typing:
Get-Module InjectionHunter -List | Foreach-Object Path
On my system, this returns:
D:\Lee\WindowsPowerShell\Modules\InjectionHunter\1.0.0\InjectionHunter.psd1
Next, create a file – ‘PSScriptAnalyzerSettings.psd1’ in a location of your choice. Use the following for the content – replacing the path to InjectionHunter with the one on your system.
@{ IncludeDefaultRules = $true CustomRulePath = "D:\Lee\WindowsPowerShell\Modules\InjectionHunter\1.0.0\InjectionHunter.psd1" }
"powershell.scriptAnalysis.settingsPath": "c:/users/lee/PSScriptAnalyzerSettings.psd1"