New Poshsec Functions!

Well, it’s been almost a month since the PoshSec Framework was announced, and I’ve been working on integrating some ideas into it.  I’ve finally got something up which I’m pretty happy with.

It’s an IIS log monitor in Powershell.

The monitor function itself runs within the PoshSec Framework, leveraging the built-in alerts.  When you execute Start-SecIISMonitor you can specify an IP address and a filter to isolate which http events you want alerts on.  Here’s a simple example where I am isolating a hit on any .PNG files (I’d do something more interesting if my test IIS server had anything beyond the Microsoft default page on it)iismon


The tab at the bottom showing “Active Scripts(1)” shows that the monitor is still running.  It has a configurable polling frequency so that it periodically checks the latest records of the log file for anything new that matches the given parameters.

At this point it just generates alerts, but future iterations on this can add functions that automatically adjust firewall settings due to certain traffic patterns.  For example, one idea I had was to create a fake page, like a honeypot.  The IIS monitor function can detect any hits to that page, then blacklist the visiting IP address.

Behind the monitoring function, there is another function which can also be utilized in new ways.  The Get-SecIISLog function parses an IIS log file, and outputs an object.  Each piece of the http record is separately addressable through PowerShell, so a forensics investigation could isolate certain IP addresses, URLS, user agent strings, or any combination of attributes.  And, since it outputs into the pipeline, those investigations could have the output formatted and sorted for a final report.

I’m glad to be a part of this project, and look forward to what we can achieve with it.


Major Poshsec update.

I haven’t had the time to post for quite a while now (just moved into a new house), but I’ve finally got both the time and a fantastic reason to post.

The Poshsec project that I have mentioned before just got a major facelift thanks to Ben0xA. By integrating some ideas he was working on with the goals of Poshsec, we now have the Poshsec Framework.

The Poshsec Framework is a customizable GUI tool which can be equipped with any desired Powershell scripts or modules. This extensibility makes it a very powerful tool, and though it’s designed as a defensive monitoring platform, it can easily be adapted into a pen-testing platform or administration center.

I’m excited by the endless possibilities afforded by this structure. I’ll be contributing to it as much as possible, and I’ve already got a few ideas to work on implementing.

The first M – Monitoring

Last post I introduced the three M’s of defense.

I’m going to admit up front that the first one, monitoring, isn’t the most fun, but it is vital.

There is an endless stream of data that flows in an out of every system, and the majority of that information is meaningless to anyone but the computer itself.  Trying to sift out relevant data from the various system and application log files is like trying to find the proverbial needle in a haystack.

So you’ve got to automate across multiple layers.

The first layer to monitor is the firewall. Here we can set up scripts to detect port scanning attempts, block IP addresses that shouldn’t be accessing your network, and monitor outgoing data for unusual behavior.  A well-configured firewall will protect you from a lot of random attacks, but it can help you even more if it is sending out alerts when something is amiss.

Past the firewall is the IDS or IPS (Intrusion Detection/Prevention System).  These can be hardware devices or implemented in software (but in too many environments they are not present at all).  The IDS/IPS constantly monitors network traffic and checks for oddities.  There are different types, some check for strange behavior, others compare network packets to a signature database of bad actions.

Then we get down to the systems themselves.  The operating system logs, web server logs, and others should all be automatically checked and send out alerts to administrators when something looks wrong.

This all takes a lot of up front work, but the rewards are great.

There are off the shelf products that can be purchased to do all of this, or you can customize your own solution.

I hope to add some of this functionality to the Poshsec project down the line.

Back to blogging

Well, it’s been a while since I’ve had a chance to post anything, so I’m going to kick start myself, and try to do the whole “post once a day in November” thing. (I’m not going to use a ridiculous acronym that sounds vaguely like a Brooklyn neighborhood)

For this post, I’ve got a few things to mention.

Firstly, if anyone reading this is interested in learning/trying some basic web security and penetration testing, there is a new site up at I’ve taken a quick look at it, and the first few levels are simple enough for anybody to get started. I try to write for the layperson, emphasizing why information security matters to everybody and make it accessible. The natas game is well suited for that same audience.

The second note is that I’ve teamed up with a pair of other security-minded individuals (@mjwcomputing and @pen_test) to contribute to their Poshsec project. The aim is to develop a suite of Powershell modules that can facilitate securing, testing, and forensics in a Windows environment. I am excited to use this opportunity to advance my knowledge of Powershell and improve my security experience. I’ll be posting updates on the project here as we move forward.