10 essential PowerShell security scripts for Windows administrators

In the 12 years since Microsoft released PowerShell, it has become the de facto tool to dependably administer servers. In August of 2016, it was made open-source and cross-platform with the introduction of PowerShell Core. Microsoft also purchased Github in June 2018, making it the home of the increasing catalog of PowerShell scripts.

CSO has identified ten of those scripts that should be part of your security team’s toolbox. You can use some of the scripts below to add security. Some let you review the security status of a network. Others allow you to see what an attacker would do to a system. All show that PowerShell is now a key part of a Windows administrator’s toolkit.

These 10 PowerShell scripts should not be considered standalone, but as a much larger collection of tools needed to manage workstations and servers. Even attackers acknowledge that PowerShell is key to controlling workstations making PowerShell a key way that attackers pivot and do lateral movement on a network once they gain access.

As always, remember that if you have not run PowerShell scripts on a system, you have to adjust the settings to allow them to run. If Execution-Policy is not already set to allow running scripts, then manually set it as below and then use the readiness script: Set-ExecutionPolicy Unrestricted, and then adjust the Execution policy to the setting desired in your firm.

1. POSH-Sysmon: Configuring Sysmon

Microsoft’s Sysmon is a tool that monitors systems and adds granular events to be tracked even after a reboot. For any edge based system or public-facing web server, I strongly recommend installing and configuring Sysmon to better track future attacks. You should anticipate that you will be attacked and thus plan accordingly.

However, configuring each system independently can be a hassle. Thus, the PowerShell script POSH-Sysmon is based on PowerShell 3.0 or above and adds the ability to use PowerShell to easily create and manage Sysinternals Sysmon v2.0 config files. Sysmon collects the events it generates using Windows Event Collection or SIEM agents. You can then analyze them and then identify malicious or anomalous activity and understand how intruders and malware operate on the network. As noted in the blog, a sample event that can be tracked using the ProcessAccess filter for Local Security Authority Subsystem Service (LSASS) to detect if a malicious process is trying to extract credentials from memory.