Forum Discussion

Mosh's avatar
Mosh
Icon for Professor rankProfessor
5 years ago

Prevent credentials from being exposed

At the moment, when a collector executes a PowerShell script, the command line of the PowerShell process will expose credentials (the <removed> parts below example).

The better way to do this would be to save the strings to temporary files (this would be done by the collector agent), and the PowerShell scripts should read the content from the files and pass as arguments to the script cmdlet.  The problem with passing them in the command line is they are exposed in memory and malware could steal the credentials.

PowerShell.exe -NoLogo -NonInteractive -InputFormat text -OutputFormat text -Command "& {$Password = ConvertTo-SecureString '<removed>' -AsPlainText -Force;$Credential = New-Object System.Management.Automation.PsCredential '<removed>', $Password;Get-WmiObject -NameSpace "ROOT\CIMV2" -Class Win32_PerfRawData_PerfOS_Processor -ComputerName "10.61.2.142" -Credential $Credential -Filter name='''_Total''' | Format-List }"

  • Mike_Moniz's avatar
    Mike_Moniz
    Icon for Professor rankProfessor
    5 years ago

    Do you have SPSE enabled? If that is enabled the collector will stream powershell scripts directly to 3 or so always running powershell instances, alteast in my testing. That would cause it to not show creds in commandline. It does cause it to write the script as-is to a ps1 file in the agent tmp folder (always does). It also might cause a problem with these long running powershell instances using up ram though. Something we have run into.

    P.S. I personally don't like how the collector writes scripts to files/logs already (with creds/properties baked in). I think it's much easier to get creds from files directly without much effort, less than digging into ram (which already requires process and/or admin-level permissions in windows). Then again I'm more sensitive about this since as an MSP, I don't have full control over the collector systems themselves. I try to use groovy because of this :)