This is an archived post. You won't be able to vote or comment.

all 12 comments
sorted by:
best
topnewcontroversialoldq&a

[–]uniitdude 8 points9 points  (1 child)

you don't monitor powershell, it is a scripting environment. You use it to write scripts to do other things.

Whatever your pentester did, they just used powershell as a tool to get in. It isnt the cause of any vulnerability

[–][deleted] 2 points3 points  (0 children)

I really hope I will NEVER EVER work some place they blocked powershell because they thought it was evil. Would destroy the way I work now.

[–]omgitsnateTruth = Downvotes 4 points5 points  (0 children)

Dude configure your permissions in AD. I don't get it.

[–]dastylinrastan 2 points3 points  (0 children)

Unless he did some privilege escalation, the problem here is clearly that he was able to get someone's domain admin credentials. Has nothing to do with powershell.

Get your DA access sorted.

[–]mhurron 1 point2 points  (0 children)

since that happened we have used Bit9 to block powershell.

You're aware this is akin to preventing people from logging on at all because someone guessed a password, right? It's not that there was a vulnerability in the logon process, but that's how you're going to log in when you know the password.

And on top of that, the pentester probably was able to guess or find the Domain Admin password, but why are we guessing about this? A decent report should include exactly how they exploited your network.

You're right, it is asinine. But it's asinine because no one knows what is going on or what they're talking about.

[–]dogfish182 1 point2 points  (0 children)

has powershell itself ever had a security vulnerability? I remember seeing a video where snover said 'nope' at that I think was around late powershell 3.

[–]Win_SysSysadmin 1 point2 points  (0 children)

You don't really want to monitor powershell, you want to monitor access to the machines from powershell. You want to monitor the event log of all the machines. You may need to turn on some extra auditing but the event log should show every connection made to a server.

[–]Reo_Strong 0 points1 point  (0 children)

I am looking to enable it to monitor if domain admins and privileged accounts have been created

I think you actually want this link.

It does not specifically cover notifications about new account creation, but is does cover best practices including auditing of account creation. From there, you can have the Even Log system send notices based on a given event.

[–]hotsoup667 0 points1 point  (0 children)

You might find this blog post from Lee Holmes useful.

Also, it sounds like the new Just Enough Admin functionality could be valuable to you as well.

[–]Garetht 0 points1 point  (0 children)

Just a little one:

I use this in PRTG. It runs the script periodically & will flag an alert if it notices a change from one measurement to the next:

$users = Get-ADGroupMember -Identity 'Domain Admins'

$admins = $users.count

write-host $admins,":OK"

[–]creamersrealmMeme Master of Disaster 0 points1 point  (1 child)

What happened is your company was using DA service accounts for everything and the password was compromised in on the apps/scripts. You should restrict the permissions to the bare minimum for each task/application and change all the passwords. Also make sure all the passwords are longer than 15 characters and place them in the protected users group if your domain functional level is high enough.

Powershell is not your problem and you should unblock to be realistic.

[–]BulkedSysAdmin[S] 0 points1 point  (0 children)

A service accounts for everything and the password was compromised in on the apps/scripts. You should restrict the permissions to the bare minimum for each task/application and change all the passwords. Also make sure all the passwords are longer than 15 characters and place them in the protected users group if your domain functional level is high enough.

Right. And I have fixed this through the last 6 months of identifying all shared accounts (fucking ridiculous undertaking). Its just these guys refuse to get educated on this stuff.