CHAPS is a PowerShell script for checking system security settings where additional software and assessment tools, such as Microsoft Policy Analyzer, cannot be installed.
The purpose of this script is to run it on a server or workstation to collect configuration information about that system. The information collected can then be used to provide recommendations (and references) to improve the security of the individual system and systemic issues within the organization’s Windows environment.
Examples of environments where this script is useful include Industrial Control System (ICS) environments where systems cannot be modified. These systems include Engineer / Operator workstations, Human Machine Interface (HMI) systems, and management servers that are deployed in production environments.
The Policy Analyzer’s output can be exported an MS Excel file, but it requires the Microsoft Excel is installed on the system. Cut and pasting this information does work, but might not be an option on a physical system. Also, using the Policy Analyzer requires installation of the Windows software, which may not be permitted.
This script runs in PowerShell and should be PowerShell-version
independent. Some checks may fail depending on the Windows version,
system configurations, and whether or not it is run with Administrator
privileges. Instances where commands did not run successfully are noted
and should be manually investigated where possible.
This script was developed using information from several sources (noted in Useful Resources section) to identify recommended security configurations to reduce the likelihood of a compromised system and to log user events conducted on the system. It pulls heavily from the Securing Windows Workstations baseline outlined by Sean Metcalf.
The best way to run this script within an ICS environment is to not write any programs or scripts to the system being reviewed. Do this by serving these scripts from a webserver running on another system on the network.
Download CHAPS and PowerSploit into the same directory and open a terminal and change into that directory. Using Python3 run the command ‘python3 -m http.server 8181’. This will start a webserver listening on all of the systems IP addresses.
On the target system open a CMD.exe window, preferably as an Administrator. Run the command powershell.exe -exec bypass to being a PowerShell prompt. From this prompt, run the following command to execute the chaps.ps1 script.
To run the chaps-powershell.ps1 script be sure to turn off the system’s Anti-virus to include real-time protection. Running the following commands will import the appropriate PowerSploit scripts and then run them.
Each script’s outputs will be written to the user’s Temp directory as
defined by the $env:temp variable. Copy these files off of the system
being reviewed, delete them, and, if necessary, restart the system’s
anti-virus.
This check determines if the user running the script has administrator rights. Some checks may not work without admin rights. Most of the checks will work, unless some security controls or configurations prevent it.
There is an error suppression line that has been disabled. Uncomment the line to suppress all errors. The “-ErrorAction SilentlyContinue” has also been used on some of the commands within the script.
System information
System Version
User and Path Information
System IPv4 addresses.
System IPv6 addresses.
Windows AutoUpdate configuration.
Check for missing Critical and Important Updates
Check for BitLocker Disk Encryption
Check AlwaysInstallElevated Registry Keys
PowerShell Event Log Settings
Determine if PowerShell Commandline Auditing is Enabled.
Determine if PowerShell Module Logging is Enabled.
Determine if PowerShell Script Block and Invocation Logging is Enabled.
Determine if PowerShell PowerShell Invocation Header Logging is Enabled.
Determine if PowerShell Protected Event Logging is Enabled.
Windows Event Log Configurations
Check the maximum log file settings for critical logs:
Determine installed versions of .NET to determine if they support PowerShell version 2.
Determine if PowerShell Language Mode is “ConstratinedLanguage”.
Cached Credentials
Check how many Cached Credentials the system is configured to maintain.
Remote Access Configurations
Determine if RDP is configured to permit remote connections.
Check the setting of AllowRemoteRPC.
Check the setting of fDenyTSConnections.
Understand WinRM configuration.
Test if the WinRM Service is running using two different methods.
Check the Windows Firewall configuration to see if the rules to permit WinRM are enabled.
Local Administrator Accounts
Determine if more than one user is a member of the Local Administrator group.
PowerSploit Security Checks
The PowerSploit project (dev branch) can be used to gather additional information about the system. The chaps-powersploit.ps1
script has been developed to gather this information. Of course, most
anti-malware programs will prevent, protect, and alert on the use of
PowerSploit. Therefore, the anti-malware should be disabled or the
chaps-powersploit.ps1 script should not be used, NOTE: anti-malware programs should be re-enabled immediately upon verification that the script ran correctly.
chaps-powersploit.ps1 TODO:
Here are a list of things that aren’t working, need to be addressed, or are possible function requests.
Needs to be tested in a Domain environment.
Handle errors gracefully.
Identify new cmdlets to run, such as Find-InterestingFiles with a list of specific files related to ICS project files.
Secure Baseline Checks – Securing Windows Workstations
Check AppLocker
Determine if AppLocker is configured to monitor scripts, at a minimum.
Check EMET
If version is less than Windows 10, check that EMET service is running.
Deploy LAPS
Determine if LAPS is installed. NOTE: not checking if it is configured or used.
Force Group Policy to reapply settings during “refresh”
Determine how NoGPOListChanges is configured to see if GPOs are allied everytime they are checked.