CHAPS is a PowerShell script for checking system security settings where additional software and assessment tools, such as Microsoft Policy Analyzer, cannot be installed.
The purpose of this script is to run it on a server or workstation to collect configuration information about that system. The information collected can then be used to provide recommendations (and references) to improve the security of the individual system and systemic issues within the organization’s Windows environment.
Examples of environments where this script is useful include Industrial Control System (ICS) environments where systems cannot be modified. These systems include Engineer / Operator workstations, Human Machine Interface (HMI) systems, and management servers that are deployed in production environments.
This script is NOT intended to be a replacement for Microsoft’s Policy Analyzer. The best way to audit a system’s configuration is to use the Microsoft Security Compliance Toolkit and Policy Analyzer with a Windows Workstation Security Baseline GPO.
The Policy Analyzer’s output can be exported an MS Excel file, but it requires the Microsoft Excel is installed on the system. Cut and pasting this information does work, but might not be an option on a physical system. Also, using the Policy Analyzer requires installation of the Windows software, which may not be permitted.
This script runs in PowerShell and should be PowerShell-version independent. Some checks may fail depending on the Windows version, system configurations, and whether or not it is run with Administrator privileges. Instances where commands did not run successfully are noted and should be manually investigated where possible.
This script was developed using information from several sources (noted in Useful Resources section) to identify recommended security configurations to reduce the likelihood of a compromised system and to log user events conducted on the system. It pulls heavily from the Securing Windows Workstations baseline outlined by Sean Metcalf.
Also Read – Stowaway : Multi-hop Proxy Tool For Pentesters
How To Use?
The best way to run this script within an ICS environment is to not write any programs or scripts to the system being reviewed. Do this by serving these scripts from a webserver running on another system on the network.
Download CHAPS and PowerSploit into the same directory and open a terminal and change into that directory. Using Python3 run the command ‘python3 -m http.server 8181’. This will start a webserver listening on all of the systems IP addresses.
On the target system open a CMD.exe window, preferably as an Administrator. Run the command powershell.exe -exec bypass
to being a PowerShell prompt. From this prompt, run the following command to execute the chaps.ps1
script.
IEX (New-Object Net.WebClient).DownloadString(‘http://:8181/chaps/chaps.ps1′)
To run the chaps-powershell.ps1
script be sure to turn off the system’s Anti-virus to include real-time protection. Running the following commands will import the appropriate PowerSploit scripts and then run them.
IEX (New-Object Net.WebClient).DownloadString(‘http://:8181/PowerSploit/Recon/PowerView.ps1′)
IEX (New-Object Net.WebClient).DownloadString(‘http://:8181/PowerSploit/Exfiltration/Get-GPPPassword.ps1′)
(New-Object Net.WebClient).DownloadString(‘http://:8181/PowerSploit/Exfiltration/Get-GPPAutologon.ps1′)
IEX (New-Object Net.WebClient).DownloadString(‘http://:8181/PowerSploit/Exfiltration/Get-VaultCredential.ps1′)
IEX (New-Object Net.WebClient).DownloadString(‘http://:8181/PowerSploit/Privesc/PowerUp.ps1′)
IEX (New-Object Net.WebClient).DownloadString(‘http://:8181/chaps/chaps-powersploit.ps1′)
Each script’s outputs will be written to the user’s Temp directory as defined by the $env:temp variable. Copy these files off of the system being reviewed, delete them, and, if necessary, restart the system’s anti-virus.
System Configuration Checks
System Info Command
System Information
PowerSploit Security Checks
The PowerSploit project (dev branch) can be used to gather additional information about the system. The chaps-powersploit.ps1
script has been developed to gather this information. Of course, most
anti-malware programs will prevent, protect, and alert on the use of
PowerSploit. Therefore, the anti-malware should be disabled or the
chaps-powersploit.ps1 script should not be used, NOTE: anti-malware programs should be re-enabled immediately upon verification that the script ran correctly.
chaps-powersploit.ps1 TODO:
Here are a list of things that aren’t working, need to be addressed, or are possible function requests.
Find-InterestingFiles
with a list of specific files related to ICS project files.Secure Baseline Checks – Securing Windows Workstations
TODO?
Here are a list of things that aren’t working, need to be addressed, or are possible function requests.
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…