Book Image

PowerShell Automation and Scripting for Cybersecurity

By : Miriam C. Wiesner
5 (2)
Book Image

PowerShell Automation and Scripting for Cybersecurity

5 (2)
By: Miriam C. Wiesner

Overview of this book

Take your cybersecurity skills to the next level with this comprehensive guide to PowerShell security! Whether you’re a red or blue teamer, you’ll gain a deep understanding of PowerShell’s security capabilities and how to use them. After revisiting PowerShell basics and scripting fundamentals, you’ll dive into PowerShell Remoting and remote management technologies. You’ll learn how to configure and analyze Windows event logs and understand the most important event logs and IDs to monitor your environment. You’ll dig deeper into PowerShell’s capabilities to interact with the underlying system, Active Directory and Azure AD. Additionally, you’ll explore Windows internals including APIs and WMI, and how to run PowerShell without powershell.exe. You’ll uncover authentication protocols, enumeration, credential theft, and exploitation, to help mitigate risks in your environment, along with a red and blue team cookbook for day-to-day security tasks. Finally, you’ll delve into mitigations, including Just Enough Administration, AMSI, application control, and code signing, with a focus on configuration, risks, exploitation, bypasses, and best practices. By the end of this book, you’ll have a deep understanding of how to employ PowerShell from both a red and blue team perspective.
Table of Contents (19 chapters)
1
Part 1: PowerShell Fundamentals
6
Part 2: Digging Deeper – Identities, System Access, and Day-to-Day Security Tasks
12
Part 3: Securing PowerShell – Effective Mitigations In Detail

Hacking the Cloud – Exploiting Azure Active Directory/Entra ID

In the last chapter, we looked at Active Directory (AD) and on-premises authentication. In this chapter, we are looking at its successor and cloud identity provider (IdP): Azure Active Directory (AAD/Azure AD).

As of July 11, 2023, Microsoft renamed Azure AD to Entra ID. As this was just shortly announced before this book was released, we will refer to Entra ID just as Azure Active Directory, Azure AD or AAD in this chapter.

AAD is Microsoft’s cloud-based enterprise identity service. It provides single sign-on (SSO), Conditional Access, and multi-factor authentication (MFA) to protect users against various attack vectors, no matter whether they were initiated on-premises or using cloud-based techniques.

AAD is a multi-tenant cloud directory and authentication service. Other services, such as Office 365 or even Azure, rely on this service for authentication and authorization, by leveraging the accounts...