Home

Awesome

Configuration Hardening Assessment PowerShell Script (CHAPS)

CHAPS is a PowerShell script for checking system security settings where additional software and assessment tools, such as Microsoft Policy Analyzer, cannot be installed. The purpose of this script is to run it on a server or workstation to collect configuration information about that system. The information collected can then be used to provide recommendations (and references) to improve the security of the individual system and systemic issues within the organization's Windows environment. Examples of environments where this script is useful include Industrial Control System (ICS) environments where systems cannot be modified. These systems include Engineer / Operator workstations, Human Machine Interface (HMI) systems, and management servers that are deployed in production environments.

This script is NOT intended to be a replacement for Microsoft's Policy Analyzer. The best way to audit a system's configuration is to use the Microsoft Security Compliance Toolkit and Policy Analyzer with a Windows Workstation Security Baseline GPO. The Policy Analyzer's output can be exported an MS Excel file, but it requires the Microsoft Excel is installed on the system. Cut and pasting this information does work, but might not be an option on a physical system. Also, using the Policy Analyzer requires installation of the Windows software, which may not be permitted.

This script runs in PowerShell and should be PowerShell-version independent. Some checks may fail depending on the Windows version, system configurations, and whether or not it is run with Administrator privileges. Instances where commands did not run successfully are noted and should be manually investigated where possible.

This script was developed using information from several sources (noted in Useful Resources section) to identify recommended security configurations to reduce the likelihood of a compromised system and to log user events conducted on the system. It pulls heavily from the Securing Windows Workstations baseline outlined by Sean Metcalf.

How To Use

The best way to run this script within an ICS environment is to not write any programs or scripts to the system being reviewed. Do this by serving these scripts from a webserver running on another system on the network. Download CHAPS and PowerSploit into the same directory and open a terminal and change into that directory. Using Python3 run the command python3 -m http.server 8181. This will start a webserver listening on all of the systems IP addresses.

On the target system open a CMD.exe window, preferably as an Administrator. Run the command powershell.exe -exec bypass to being a PowerShell prompt. If you started a PowerShell terminal, as administrator, run the Set-ExecutionPolicy Bypass -scope Process to allow scripts to execute. From this prompt, run the following command to execute the chaps.ps1 script.

IEX (New-Object Net.WebClient).DownloadString('http://<webserver>:8181/chaps/chaps.ps1')

To run the chaps-powershell.ps1 script be sure to turn off the system's Anti-virus to include real-time protection. Running the following commands will import the appropriate PowerSploit scripts and then run them.

IEX (New-Object Net.WebClient).DownloadString('http://<webserver>:8181/PowerSploit/Recon/PowerView.ps1')
IEX (New-Object Net.WebClient).DownloadString('http://<webserver>:8181/PowerSploit/Exfiltration/Get-GPPPassword.ps1')
IEX (New-Object Net.WebClient).DownloadString('http://<webserver>:8181/PowerSploit/Exfiltration/Get-GPPAutologon.ps1')
IEX (New-Object Net.WebClient).DownloadString('http://<webserver>:8181/PowerSploit/Exfiltration/Get-VaultCredential.ps1')
IEX (New-Object Net.WebClient).DownloadString('http://<webserver>:8181/PowerSploit/Privesc/PowerUp.ps1')
IEX (New-Object Net.WebClient).DownloadString('http://<webserver>:8181/chaps/chaps-powersploit.ps1')

Each script's outputs will be written to the user's Temp directory as defined by the $env:temp variable. Copy these files off of the system being reviewed, delete them, and, if necessary, restart the system's anti-virus.

Print out and use the CHAPS Assessment Guide to walk through this process with the system administrators or guide your team.

System Configuration Checks

System Info Command

System Information

CHAPS PowerSploit Security Checks

The PowerSploit project (dev branch) can be used to gather additional information about the system. The chaps-powersploit.ps1 script has been developed to gather this information. Of course, most anti-malware programs will prevent, protect, and alert on the use of PowerSploit. Therefore, the anti-malware should be disabled or the chaps-powersploit.ps1 script should not be used, NOTE: anti-malware programs should be re-enabled immediately upon verification that the script ran correctly.

chaps-powersploit.ps1 TODO:

Here are a list of things that aren't working, need to be addressed, or are possible function requests.

Secure Baseline Checks - Securing Windows Workstations

CHAPS TODO:

Here are a list of things that aren't working, need to be addressed, or are possible function requests.

Useful Resources:

Collaborators

I would like to thank those individuals who have helped troubleshoot and add features to this project.