BSidesCharm - 2019 - James Honeycutt - J-J-J-JEA Power

i'm good to go all right all right so i want to say thanks for showing up this is about how many people i thought would be here this afternoon i'm just saying so i've got to clarify the title this title has been a big topic in my household uh so i call it g of power you gotta you know raise your arm you know uh my wife started asking me well what what what's geopower what are you talking about and i told her well it's powershell gia she goes oh no no no no no you got to change the title i said too late it's already in print so i had this really great image for my

ice breaker slide right because you got to raise your arm and you got the power but a couple of guys in my office had a different image in mind this is kind of what they thought of as soon as i said jiu jitsu all right so so that so i kind of went with that but trust me you'll see the other my other slide later all right so a little bit about me i didn't do the little cool you know at who am i or anything like that a little old school so i've been in the military for about 23 years they're about anything after 20 you just quit uh remembering it with the last 19 years of

it being in a windows environment i've gone from you know classroom support help desk to server admin and all that stuff i've also recently started my track on becoming a sans certified instructor i am a community slash mentor for the sec 504 and 505 the windows and the incident handling i've i'm self-taught powershell so everything i know i've read online i've watched the videos and all that stuff until i took the the sec 505 class but then there wasn't much in there i learned because of all the other self-teachings i've done uh so if you want to follow me i got my my twitters and all that good stuff up there but i got to mention my my passion for

powershell i i've got this passion i don't know what it is just as soon as i learned it i was like this thing is awesome and so i just started learning everything i could about it so we're walking around the office and we're talking about different problems and how to solve things and of course my passion of powershell every other word out of my mouth is oh we can script this we can powershell that and everything and i just see this look in my co-workers eyes right that's what it looks like say it one more time say one more time so the passion runs deeper than just at work i've got a 16 year old at home right and

we were driving home one day and he decides he's going to tell me oh i don't use powershell i use vbscript and batch scripting he about made me wreck my truck right so so i disowned him and all that stuff but just so you guys know last night he told me he started doing more stuff in powershell so i said he'll be more than welcome to be back in the family all right so what is this powershell gia thing well microsoft says just enough administration it is a security technology that enables delegated administration for anything that can be managed with powershell that's a whole lot so what it boils down to is you can take a commandlate and you can

allow that allow somebody to run that command link whether it's an admin commandlet or just a user command link and it only takes a user to run it so you can narrow down exactly what somebody can do with powershell so if you guys know jeffrey snover he i kind of liked his analogy he said it's like a key ring right so you they say you're going out of town for a while and you've got a neighbor who needs to check on the cats or dogs or something for your house so you instead of giving your neighbor the whole key ring with you know your office key on there your house key and all your truck key and all this stuff

you just give them your house key and say hey feed my animals while you're gone or while i'm gone but you're not taking my truck key because you're not moving other people with my truck right and then then you think well you need more than just my house key you need to check my mail too so here's my mailbox key but you're not getting my office key or my safe key so that's kind of like what powershell gia is instead of giving somebody a block of admin rights you're just divvying out little bit of rights here and there what i say is it's a really cool way to empower your users to do your job for you and i've got some

plenty of examples about that again it's a way for your users to run administrative tasks without giving them that power user rights or full admin rights on the machine a big takeaway from this is if you do enable this this is not a project this is not going to be set it and forget it and a prime example is is if you give one user elevated permissions to do this one thing guess what his partner wants to be able to do that too and next thing you know you're handing this thing out like candy [Music] so if you're going to run this these are your requirements and i would just like to point out the

fact that there is no powershell core on here so therefore it will not run on linux that's pointed to somebody in this audience right here just saying um so it does require powershell remoting the big takeaway from this one is on windows servers it's enabled by default if you're going to enable gia on your workstations you need to make sure you enable powershell remoting because it is turned off by default so how does all this work well so the the short answer is a user is going to use enterprise session right but instead of just a normal enterprise session he's going to specify an endpoint to connect to [Music] and when he does that the

there's a file that's going to create this virtual admin account on the machine and so basically he's going to be running these commands it's like in a run as type mode and that virtual account that virtual admin is only there for that one session as soon as the user logs out the uh the admin account is deleted so this is great so if somebody is in your system and they're running mimikats and they happen to catch the credentials of that virtual admin account it's only going to be good for that one session 15 20 minutes however long that guy is on that one system and it is a local admin account so those credentials will

not work on another machine in the environment and there's a role capability file that will tell this virtual admin account hey the user that is running this he's only allowed to see these particular commands and it's gonna you can narrow it down as as tight as you want all right now um so yeah the user is going to do what he needs to do and then he's going to exit out and then like i said the virtual account is deleted [Music] so here's this roll capability files this is this is kind of like the heart this is the hardest thing to configure i i would say at least it was for me when building the demo

so this is the file that controls what the user is able to see that virtual that virtual account will be able to see everything so every one of the commandlets that's available however the user on the other side of that virtual account is only going to see what you is specified in this role's capabilities whether it's the module the external commands like the who am i the sc things like that any special scripts that you've created your ps1 files you'll have to specify them in here otherwise the user will not be able to run them so this here's where i would like my laser pointer to work because there's a lot going on here so

this here oh you can't see it so i'm gonna so right there if you can see where it says new ps4 capability file that is the actual command link that will build that will create your uh your roll capability file so once that roll capability file is is made you can actually open it up with any text editor and then fill in the rest of what you see on the slide here so your visible commandlets that's going to be what the user can see on the other end and then you have your visible external commands those are those commands as you can see in here it's using who am i those are your other commands that are

not powershell that if you wanted that user to uh run you're gonna have to specify them there along with all your ps1 scripts that you create so how's all this tied together so we've got the roll capability file now we have to associate it with that user or users or that group this here is where the sessions config file comes in at and this is going to control who can log into that that machine and who cannot and then it'll also link that role capability file to that user as well [Music] again talks about the users the keynote here is i said it was a local admin account on the machine except if you enable this on the domain

controller if you enable this on the domain controller he is now a domain admin but you still have the same restrictions so you could use this for like your dns admins or anything like that your adu admins so they'll have their virtual account will be in domain admin but you only give them the commandlets for dns or active directory and that's all they'll be able to do so you so i keep talking about this virtual account that gets built on the fly you can specify your own accounts or you can use group service manage accounts if you need network access however the downfall to that is it'll be harder to link who ran what command or what commands

were run and who ran them because it's only going to be linked to that service account that everyone is using so that first bullet is the commandlet that you need to create the file so once the file again is created you can go into the file and then specify all this all the other things in here so like your transcript directory like where do you want your transcripts to go so you can audit who's doing what on your machine and then you have your role definitions this is the part that is linking your your groups as you can see here the dns admin group to which role capability file it's going to use whenever they remote

in and we're going to take a look at these because i actually in the demo did a little different instead of actually opening it back up we did it all in one command line so you'll see what that looks like as well so this is just kind of a review of how all this is going to work together it's so you have your users they're gonna and then you've got your uh session file sitting on the machine they're gonna enter ps session and now like i said they're gonna have to uh specify which endpoint they're gonna connect to that's what the the last part is you know the endpoint and then whatever session config they're

going to connect to then that session config is going to build that virtual account that virtual account is going to look at the role capability file and say okay what are you authorized to run and then it's going to come back and say okay well he's authorized to run these commandlets or these commands or the these scripts and then it's that's just what the user is going to see so now we get to do the fun stuff [Music]

[Music] all right so i'm going to pull this down right quick so as you as you can see i've only got three virtual machines running i've got a domain controller because i need the kerberos stuff then i have my geodemo server that's the one we're gonna enable gia on and we're gonna remote into and then i've got my client server which is what where i'm going to do all my work and there's many ways to tackle this but the way i'm going to tackle this is i'm going to create all the files and everything i need locally on my client machine and then i'm just going to push it to my one server and this is

just to symbolize that you can create everything locally and if you have a list of machines you can just push it out to all the machines at once that you want to enable this on all right because otherwise i could just sit on the demo server and type all this stuff and it'll work but i wanted to demo something that's more realistic so we're going to start off i'm going to show you that i don't have any i don't have a whole lot built here i forgot this part takes a minute but these are the uh users that we're going to be working with i have my gia contractor i have my gia developer and then my ga

admin who is a domain admin and then my ga user who i'm logged in as so just to show you who was in the domain admin group you're going to see just the gia admins my built-in administrators and that's it and then under my users this is just to show that i'm not playing any tricks or anything like that so everybody else is in the user group my desk my admins my user all that good stuff so as a as an administrator we're going to login now i just kind of want to show you as you can see now that we're in the demo server you can tell we're in the the ps session because of the

name out next to it but i wanted to show you what all commands are available if you log in and you have full full rights to it as you can see this is everything that's available to me this is pre gia i'm going to stop that and i'm going to exit and then i'm actually going to go back [Music] in

dev um and just to show you uh i have access to nine right now i'm not authorized as the developer to log into this machine now i can show you that the contractors not either but they're in the same groups and we're just going to get the same results so now when we build this thing we're building this thing and we're actually building a a module and a folder and everything that has to sit in the the powershell modules folder and that's what this command line is doing here it's just building my modules folder locally on my client machine and we're going to name the module besides gm and then in the next command i'll talk

about that in a second so as soon as that's done we've created our folder and here's our demo files but nope that's actually what i'm working out of so here's my config files these are what we're going to push to our demo server when we're done so this rolls capability file this is this is an important file this is where all your roll capability files are going to go and your folder has to be called roles capabilities otherwise geo will not see it it will not work i've tried it gave me a headache uh trying to figure that out or remembering about that so we're gonna go ahead and create that so that's done so

here we go so in the powerpoint i talked about the uh the rope the i showed you the command link to create that role capability file and this is it right here and as you can see we're just going to put it in our modules folder in our role capability folder and we're going to create a resource or a role capability file called developer so this one here is going to be for our web developers so we're going to create that and then just to kind of show you what it looks like we're going to open it up we're not going to open it up [Music] developer [Music] we'll open it up a different way

[Music]

so yeah so i mean it's a little bit harder to read here but essentially there's nothing configured in here [Music] so let's see so i've got a this is this is one of the things i do have pre-cooked kind of like hdtv i'm pulling the turkey out of the oven [Music] we so that one did open so this is this is essentially what it looks like when you fill it out right the company unknown and all this is actually put in here by default the copyrights all that stuff the only thing i had to build was this right here the visible command lines so i'm going to give our developers a restart computer and i'm narrowing down or i'm also

giving them restart service and but i'm not just going to let them restart any service i'm narrowing that down to the spooler service and the bit service i was going to get all fancy and everything and create a whole website and you know give them the is service but i just got lazy this is much easier so so when we show this later we're gonna we're gonna restart the spooler and the bit service and you're gonna see that it's successful but we're gonna try and restart some other services and see that it fails and i think yep so i gave the developers an external command of who am i as well because i wanted to show you

guys what the virtual account looks like so now we're we're going to also create a row capability file from for our contractors [Music] and that's done let's see if this one opens yeah that one opens so this is actually what a blank one looks like as you can see there's no modules or anything specified in there it's everything is commented out so you'll have to go in there and and fix it let's go ahead and i'll show you what the pre-cooked one i i did was so i'm only given the contractors restart computer now there's a reason i came up with these these particular ones is i had a contractor at my last job he worked off post and he was in control

this one app that we had but i controlled the server he'd get bored at work and decide that he was going to come in the office had me reboot his computer as a former system and i had 15 20 different things on my plate that had to get done that day and i had to stop everything so i could reboot his server so if i just gave him this one commandlet he could have stayed at his own office and rebooted his own server i'm not bitter or anything i'm just saying so earlier i talked about creating that session file that links your role capabilities to your your user groups and i said you know there's the one small command that you

can create and then just open up the file and modify it and i said but in our demo i'm just going to do it on one command line and that's this one right here so i'm going to put it in the same path and this one is our session configuration because it ends with the sc i'm going to give it a session type of a restricted remote server so as soon as i enable this anybody who can remote powershell into this machine is not going to be able to unless they use the endpoint that we specify that besides gia earlier that we that i showed you and we are going to run it as a virtual

account we're going to keep that as true we're not going to create any virtual accounts so here's my role definitions this is this is the meat of it right here this is what is gluing your user groups to those role capability files and i've got groups of developers and contractors and i'm giving them the capabilities of the developers and contractors that we just created [Music] so i'm gonna highlight all that and now that's done did i i did close it um [Music] just kind of want to show you guys what we've what we've built so far so here's what's going to be the modules folder this is the module we're building here's that restricted sessions file

that we or the restriction sessions file we created here's our role capabilities file that files that we've created so if you had more you'd have more capability files in here as well [Music] so let's take a look and see what that looks like and here we go so here's our transcript directory virtual account is true like we wanted and here is the role definitions this is again the glue of what's gluing all this together close that one out so here we go so now that we've got everything created uh oh i've gotta move everything over where it needs to be so all i did here is i just copied everything from um my demos file the one that i've had

pre-cooked and put them into the the module that we just built is all i did there so now i'm gonna take this and i'm gonna copy it all over to that geodemo server [Music] let's just do it this way got my session now when we're building this and moving it over we will have to be an admin and that's you can't really see it but i am logging in as the gia admin here so there's that session before i do that i want to jump over [Music]

here and just to show you so we're in the modules folder i'll hit refresh just so you can see we don't have our geomodule over there just yet now we're gonna hit go here now we're gonna hit go and it just all copied over and slide that back up [Music] and yeah be size to you and so now it's all there however we're not done yet we've created the files we've got the files in place now we just have to register these the sessions and i'm going to do that a little bit differently so get credential so i'm going to get i'm going to see what uh psession configurations are already on the machine first so we're going to do that of

course you do have to be an admin to do

[Music] this [Music] okay so we're looking at these names and i see some microsoft stuff and yeah some microsoft stuff so let's head back up here and let's go ahead and register that session and what we're doing is i'm going to invoke the command uh yeah this bottom one here the register ps session we're registering the uh besides demo and then i have to give it a file path of where the session config file is so that's what this command here is doing so run that

m-i-n [Music] now you guys see why i have all these commands pre-cooked okay so we see a couple things here we see we see this warning says hey your ps session configuration has been enabled or whatnot you may need to restart the rm service and then i see this i've seen this more times than not um and i have yet to dig into why i'm getting that error sometimes i'll get it sometimes i won't so what i end up doing here i've been pretty successful so far is i will do what it tells me to and i will restart the rm service when rm oh no okay let me just go back in and look at our sessions make sure there

make sure it's there

[Music]

so now we see microsoft stuff microsoft stuff microsoft microsoft besides demo so it's there so now now we're down here so we're going to take this first command this enterprise session we're going to test it with the gia dev the developer so let's see what happens with him and he failed and i will tell you why he failed anybody remember anybody know why he failed okay so earlier in the powerpoint i said the when you enable gia you're going to have to enter psession and then you're going to have to specify which um which endpoint or session configuration he's going to be using we did not do that here and that is why he failed

so if i if i use this command the enterprise session the demo server and then as you can see i'm specifying the configuration of b-sides demo [Music] now he will be able to work [Music] and he's in and that's what it took so now that we're here let's get command let's see what he's able to get all right so he has restart computer select object wait a minute we didn't give him select object we gave him restart computer well in powershell gia there is a small select of commands that they're going to get by default you know and that's that's here everybody gets these regardless and that's why they're here so he does have restart computer okay

well let's see what else do i have in here uh oh yeah he has restart service as well so let's uh let's try restart bits well that seemed to work so let's do a re-start service ah good teaching moment because i keep forgetting i'm in love with the tab key but inside powershell gia you don't have tab completion ah yeah so that stinks so now i actually have to type this out so name we're going to try the dns service should fail there you go but here's here's a key the argument dns does not belong to the set of spool or bits remember back in the config file when we when we built that we had a validate set

uh keyword in there so that validate set is telling uh the session config or that's given the role capability file saying hey these are the only services that they can restart so he cannot restart any other service so i believe we gave him who am i as well so let's look at that so he is this virtual account and as you can see by looking at this how this virtual account is created and built that the virtual account ties it back to the gia developer so earlier whenever i mentioned about creating your own service accounts and managed service accounts and all that good stuff and be harder to trace back this is what i was talking

about all right so let's exit out he's done [Music] let's see who do we have next uh we have our contractor oh no no we have our user that's right i swapped it there's a reason so let's see what our user can do [Music] he got access to nine he got access denied because he is not in that session configuration file he was not authorized to remote into that machine whatsoever so now let's look at our contractor can our contractor remote in [Music] and he is in well let's see what commands can he do all right so he's got the restart computer just like we told him he could have looks like he's got all those same

defaults doesn't look like he's got anything else so let's just go ahead and restart a service let's just see ah term restart service is not recognized so this virtual account can see that um restart service is there but he's not gonna allow that user to run it period whatsoever all right well who am i well it worked for the other guy ah it's not recognized either well he's not allowed to run that command okay so this is why i want to do user first so our demo server is up let's see can he restart the computer no uh i failed to restart oh it failed this is a typical failure because you have to use the tack force

because somebody's already logged in okay so if i remember correctly yep ran in that problem once before or pretty commonly so now it looks like it's restarting let's take a look and stopping the services so that is pretty much gia in a nutshell there's a lot more to it as far as you know getting in and looking at those config files and like uh constrained language mode there's all kinds of other things you can do inside there i just hit the very high high points so where do we go from here well from here just remember this is not a project you're not going to set this and forget it you're going to set this and it's

going to be a routine thing that you're going to have to do anytime your let's say your developer says oh you let me start restart the is service well i need to restart the www service as well well now you have to go back in you have to edit your config you will have to unregister and re-register uh the gs thing again as well i really really love this i'm a big fan of empowering users to do minimal admin stuff that they do at home that they can't do at work you know so many times as an admin and help desk guy i was like well i do this at home why can't i do it here well now i can

let them do it they'll be happy be less for me to do and i just i'm a huge fan of things like that so when you do empower your users right it gives them the power it makes them feel like they have the power right [Music] so here's every here's all the references uh that i had gone through to to build this thing i did learn some of it from my sec 505 class again i will post uh i'll post these slides and my code and everything out somewhere at some point so if you want to follow me on twitter i also use twitter and linkedin to post whenever i'm doing any of those sans classes

so when i tested this when i went through this briefing the other day i spent a whole 50 minutes with questions for some reason i'm running a little fast so from at this point i'm hoping you guys have lots of questions to fill my time [Music] if not go ahead and clap make me feel good that's not happening no seriously any any yes so the question is is can you make this work as a black list and not a white list i don't know trying to think of how that might even work because you're you're already because the way it's developed is to blacklist everything and only allow this or that um there may be something

else inside windows that you can restrict the use of certain commandlets i just i haven't gone down that road sir um within your uh your output i saw you were getting permission uh the uh the things that your users were capable of doing that man next to it versus [Music] so so the question is is or there was a there was a point made that you know some of my outputs said commandlet next to it versus not showing i'm assuming like the who am i command well um if you go back to your to your i guess your user vm and the output when you're trying to figure out what permissions they have permissions that

you did have or that command right next right yeah so so whenever i run the uh get command after i've done the the remote powershell uh it only listed the command lists that were available i'm going to assume that's just a microsoft thing and it's not going to show you what actual commands well you could almost probably almost look at it as like git command link get command what does that normally give you that that you would have outside of powershell gia does does it normally give you like oh he can run sc he can run who am i i'd have to dig into that to be sure but i'm going to assume that because get

command is looking for what commandlets you're going to run like you know if you're looking for a certain command line i think so i think so yes sir in terms of being very restricted you have to use gia defaults in certain user categories what was the extent

[Music] yes so i've actually i'm glad you brought that up let's i've got time let's test it because i've read i've read two different things i've read that if you're in the local admins group you're gonna have access regardless however i read something somewhere else that said once you enable gia nobody has it unless it's configured in the resource file so let's do this and i actually thought of this earlier today so we're gonna let's just go back to the top uh here we go so we still have gia enabled my servers back up so we're going to do [Music] i don't want to there happy okay so here we go g demo g dot admin

so yeah oh wait he's still trying uh yeah so so i guess i got in

yep yeah so if you're if you're an admin on that machine you're still going to be able to get in whether gia is enabled or not so this is this is how you're going to restrict your developers i'm going to throw that out there because i chose developers because in my last unit we got tired of dealing with our developers so we just gave them admin rights on the machine does a does a developer really need full admin rights on a local web server no they do need access to some of those services that are on there though that they normally wouldn't have as a as a user so that's why i kind of use

them as the example as well any other questions i can't tap dance for 20 minutes so so i guess that's it for us i appreciate it