Mosh

Prevent credentials from being exposed

Recommended Posts

At the moment, when a collector executes a PowerShell script, the command line of the PowerShell process will expose credentials (the <removed> parts below example).

The better way to do this would be to save the strings to temporary files (this would be done by the collector agent), and the PowerShell scripts should read the content from the files and pass as arguments to the script cmdlet.  The problem with passing them in the command line is they are exposed in memory and malware could steal the credentials.

PowerShell.exe -NoLogo -NonInteractive -InputFormat text -OutputFormat text -Command "& {$Password = ConvertTo-SecureString '<removed>' -AsPlainText -Force;$Credential = New-Object System.Management.Automation.PsCredential '<removed>', $Password;Get-WmiObject -NameSpace "ROOT\CIMV2" -Class Win32_PerfRawData_PerfOS_Processor -ComputerName "10.61.2.142" -Credential $Credential -Filter name='''_Total''' | Format-List }"

Share this post


Link to post
Share on other sites

Do you have SPSE enabled? If that is enabled the collector will stream powershell scripts directly to 3 or so always running powershell instances, alteast in my testing. That would cause it to not show creds in commandline. It does cause it to write the script as-is to a ps1 file in the agent tmp folder (always does). It also might cause a problem with these long running powershell instances using up ram though. Something we have run into.

P.S. I personally don't like how the collector writes scripts to files/logs already (with creds/properties baked in). I think it's much easier to get creds from files directly without much effort, less than digging into ram (which already requires process and/or admin-level permissions in windows). Then again I'm more sensitive about this since as an MSP, I don't have full control over the collector systems themselves. I try to use groovy because of this :)

 

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.