The Dark Side of Powershell

As everything in life there is a good and evil, Yin and Yang, light  and darkness,etc. PowerShell is great tool but it can be also used to do harm in the organizations and it is also very powerful.

Have you heard about Mimikatz ? Well if you have not let me tell you what it does in a few words, this program inject itself into memory and can steal all the domain and non domain passwords that are stored into memory. Most of the passwords will be hashed but does mean they can not use that token in another computer, I will write in another post about a hacking called Pass-The-Hash attack that will explain how they can use that token in different computers.

Now, not all passwords are encrypted and if your company have an old or maybe newer application that use Wdigest as its authentication method you are in big trouble. Wdigest uses clear text password and stores it in memory. So if a malicious code was executed in a computer in your enterprise potentially they can get a hold of text clear password.

I know what you asking how do I prevent this ? First of all you have to shutdown that app. Second tell the developer to  change the authentication method to Kerberos or something more secure. How would you find what application is using Wdigest ?

  1. On all you domain controllers enable Account logon for success and failures
  2. Make sure you are collecting those logs  using Splunk, SCOM, etc
  3. Look for event ID 680 or 4624 logon Attempt by Wdigest in the security log and trace what workstation is using wdigest

Here is a good TechNet article that explains Wdigest in depth

The goal of this article is not for you to stop using PowerShell but to make you aware of the potential risk and take the preventive measure to make your enterprise more secure.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s