Disclaimer: The enclosed PowerShell script and executable file will introduce vulnerabilities to a system upon execution for training purposes. Do not run this outside of a virtual environment.
Requirements:
This lab provides you with a program to run to make a virtual machine vulnerable. Do not run this outside of your virtual machine. This will make the VM susceptible to attack.
When working with the provided script, warnings can be expected from a host machine with anti-malware programs installed. These provided resources deal with the same remote access tools that are often leveraged by threat actors with malicious intent.
Before powering up the VM, take a snapshot of your virtual machine if possible. This will allow you to revert it to a clean slate after completing the lab, allowing you to reuse the same machine after this lab.
For this lab, customization is an option for presenting alternate environments from the one pre-configured in system-hardening.ps1
.
Set-LocalSecurityPolicy.psm1
has been provided to automate the process of making custom local security policy configurations for easy modification of the provided script. To use a custom local security policy, run the following PowerShell commands on a Virtual Machine from the directory where Set-LocalSecurityPolicy.psm1
has been downloaded:
Import-Module .\Set-LocalSecurityPolicy.psm1
Set-LocalSecurityPolicy
This will output the file base64-encoded-policy.txt
to a specified location. Open this file and pull out the value of the variable $EncodedSecpol
. This value can replace the default $secpolicy
variable located in system-hardening.ps1
to configure custom security policies.
This lab requires a Windows 10 workstation virtual machine.
PowerShell Script Steps:
Extract the lab archive inside your Windows VM. This can either be done by downloading the file inside the Virtual Machine or using VMware tools or VirtualBox shared folders to move files between your host and virtual machine.
Open PowerShell as an administrator. This can be done by right clicking on the Windows icon in the bottom left corner and clicking Windows PowerShell (Admin):
Disable Windows Defender and set the execution policy to allow the script to run:
Change directories to the folder containing the PowerShell script and associated resource scripts. This will vary depending on the location of the file and the username on the Virtual Machine. Run it with the dot-backslash command:
Note: This PowerShell script is not intended to be reverse engineered to find vulnerabilities on the system, but rather emulate an authentic vulnerable environment that was caused by other means. This script can be removed from the virtual machine after running to completion.
For this lab, this workstation belongs to one user:
zuko
R0cks!
katara
W@ter
In this environment, Zuko is a local administrator. This lab will focus on auditing local security policies on the host to harden system security.
System hardening is one important step in keeping attackers out of a system and protecting data. On Microsoft Windows, hardening can be done with a few great Graphical User Interface (GUI) tools that can be extended to larger environments. Many settings and configurations that are discussed in this lab can be extended into a larger Active Directory environment and applied to many machines at the same time.
Using Zuko’s account listed above, login to the VM and open up Local Security Policy Editor. A link to this program has been created on the desktop. This can be found by searching by name within the Windows task bar.
Within the policy manager, settings are categorized into different types of settings. Various settings within these categories will be modified to improve the system’s overall security posture.
While administrators can check policies within the machine’s GUI using
the Local Security Policy editor tool shown above, the command line can
be used to identify basic settings even more quickly. This can be useful
in Windows Server Core installations where no GUI is available, or on
remote machines that are accessed over SSH or PowerShell Remoting. From
an administrator PowerShell or Command Prompt session, run the net accounts
command to view basic password policies on the local machine:
Within the Local Security Policy editor, Underneath Security Settings, expand Account Policies and click on Password Policy:
This pane contains some basic password policies on the local system and
mirrors a lot of information observed in the net accounts
output
previously shown. On any of the policies displayed within rows in Local
Security Policy, a more detailed description with additional context can
be found by double-clicking on each item and going to the Explain tab:
The various settings here will likely need to be tailored to fit a specific organization’s policies. The following settings with accompanying rationales are explained below using the CIS (Center for Internet Security) benchmarks for Windows 10 version 1709. Updated guidelines can be found for various versions of Windows on the CIS website.
After modifying local password policies to meet CIS recommendations, the Local Security Policy editor should look like this:
Under the following tab, click on Account Lockout Policy. The following recommendations are again using CIS benchmarks:
After successfully applying these settings, this pane should look like the following:
Underneath Local Policies -> Audit Policy, security policies can be configured to audit certain events. In Windows, system audits often mean logging. While there are no recommendations made from CIS on these settings, enabling auditing on events can help provide context around potential security incidents. View the Explain tab on each setting to familiarize yourself with information that each setting can provide.
Check Success and Failure on each setting to provide the most context on events. Now, open a PowerShell window on the VM. Within the Windows Event Viewer, process creation events will now be shown in the Security log. Under the Task Category Process Creation, the Security log should show the created PowerShell process:
This policy contains settings related to user rights. This can be useful in reducing the attack surface of a machine and preventing access to unneeded services.
Be cautious about modifying other settings in this pane, as some built-in operating system features may be interrupted by misconfigurations.
This policy contains a wide array of settings that can help increase security posture in various areas of the Operating System. Be cautious when reading each policy, as phrases often contain double negatives. The following settings can aid in further hardening Windows 10:
After successfully setting these policies, a login screen should require a CTRL+ALT+DELETE combination for logging in, and a custom message will be displayed:
When logging in, no other previous users will be visible and the user name will need to be specified before Zuko can login. This makes an attacker’s life with physical access to a machine more difficult.
Windows Security is a suite of security tools included with Windows 10 that holds many settings that can assist with system hardening. These built-in features can help prevent malware from running, protect against ransomware, and more. Search for Windows Security in the Windows taskbar and go to Virus & threat protection:
In this menu, scans can be performed against the system. This will scan a number of directories against available virus signatures to try to detect malware on the system. Underneath Virus & threat protection settings, click Manage settings. This has additional configurations for Windows Defender.
In organizations handling sensitive data, the Automatic sample submission setting should be turned off. If Defender recognizes a file as malicious and uploads the file automatically to Microsoft, this could result in unauthorized data disclosure. In order to protect against this, turn this setting off:
The Submit a sample manually button can still be used to upload a suspect file.
Additionally, the Exclusions option can be configured to add any legitimate software that is detected by Defender:
This can be useful for a machine that is used by a penetration tester in an organization or someone handling potentially malicious software. This can also be abused by attackers, however, to add exclusions for malicious software. Click Add or remove exclusions:
Remove this exclusion and run another quick scan. A threat should be detected:
Click Remove and Start actions to remove the malware from the host. This should remove the malicious software from the VM.
Under Virus & threat protection, Microsoft Defender offers Ransomware protection. This is a feature currently only available for Windows 10 Pro:
Click on Controlled folder access, and turn the setting on. By
default, this will stop file access in user directories from many
applications in order to prevent ransomware. For example, PowerShell’s
New-Item
commandlet won’t be able to write to Zuko’s Documents
folder:
This action will be logged in ransomware protection history in Defender:
This can help prevent ransomware even if an unauthorized program is executed on the victim machine.
In Windows Security, navigate to Device Security and then click on Core isolation. Memory integrity is one feature that can be turned on to prevent certain processes from tampering with each other:
Reputation-based protection is a feature that is built-in to Microsoft Edge that can prevent malicious sites from being accessed. Turn this feature on underneath App & browser control:
The Windows Defender Firewall is a built-in feature that restricts network connections inbound and outbound from a local machine. Default firewall rules often suffice for individual workstations. Underneath Firewall & network protection, ensure that all network profiles are enabled:
A link to Windows Defender Firewall with Advanced Security has been placed on the VM’s desktop. Open this to view all inbound and outbound network traffic rules on the host. Many of these default inbound rules, such as Skype, Xbox, and Cortana are for applications that are not used. Disabling inbound rules can reduce the device’s attack surface over a network. Similarly, outbound rules can also be disabled for any unused apps. Modify these rules to only allow communications for approved applications.
User Account Control (UAC) is a feature in Windows that informs the user prior to administrator privileges being used. When UAC is turned on, opening a program as an administrator will be interrupted with a confirmation message. This step can help interrupt malware from successfully running on a system. To toggle this feature, search for user account control in the Windows taskbar:
There are various settings available to notify the user at different times on a workstation. For most users, the second option from the top should work:
After committing this change, try opening up an administrative PowerShell session. You should now be greeted by User Account Control prompting for confirmation before using administrator privileges: