Cybercriminals have exploited weaknesses in the Windows PowerShell scripting utility for decades. But cyber intelligence agencies in the US, UK and New Zealand say disabling it is not the solution.
Instead, they say in a recently published report, proper configuration and monitoring will reduce the likelihood of malicious actors using it undetected after gaining access to a victim’s network.
“Blocking PowerShell hampers the defensive capabilities that current versions of PowerShell can provide,” the advisory reads, “and prevents components of the Windows operating system from functioning properly. Recent versions of PowerShell with enhanced capabilities and options can help defenders counter PowerShell abuse. »
Windows administrators should install PowerShell 7.2 first if they haven’t already. In Windows 10+, with proper configuration, version 7.2 can fully integrate and access all components created for version 5.1 (shipped in earlier versions of Windows 10 and 11), allowing continued use of scripts, modules and existing orders.
The report urges administrators to take advantage of these PowerShell features:
- If remote access is allowed, use Windows Remote Management (WinRM). It uses Kerberos or New Technology LAN Manager (NTLM) as default authentication protocols. These authentication protocols do not send actual credentials to remote hosts, thus avoiding direct credential exposure and the risk of theft through leaked credentials.
PowerShell 7 allows remote connections via Secure Shell (SSH) in addition to supporting WinRM connections. This enables public key authentication and makes remote management of machines via PowerShell convenient and secure, the report adds. The new SSH remote communication features in PowerShell can establish remote connections without requiring the use of Hypertext Transfer Protocol Secure (HTTPS) with Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.
Windows firewall rules on endpoints must be configured appropriately to control allowed connections. Enabling PowerShell remoting on private networks will introduce a Windows Firewall rule to accept all connections. Authorization requirement and Windows Firewall rules are customizable to limit connections to only trusted endpoints and networks to reduce opportunities for lateral movement.
- Enable Anti-Malware Scanning Interface (AMSI), which allows in-memory and dynamic file contents to be scanned using an approved anti-virus product such as Windows Defender, McAfee (now Trellix), or Symantec.
- Configure AppLocker or Windows Defender Application Control (WDAC) to block actions on a Windows host. This will cause PowerShell to operate in Constrained Language Mode (CLM), limiting PowerShell operations unless permitted by admin-defined policies;
The report also notes that PowerShell activity logging can record when cyber threats exploit PowerShell, and continuous monitoring of PowerShell logs can detect and alert to potential abuse. Unfortunately, the “Deep Script Block Logging”, “Module Logging” and “Over-the-Shoulder transcription” features are disabled by default. The report recommends enabling them when possible.
There are many other sources of information on securing PowerShell, including advice from Center for Internet Security and of Microsoft.
The original article is available at IT World Canadaa sister publication of Informatic direction.
Low cybersecurity maturity of Canadian companies
A backdoor in Microsoft’s IIS web server, Kaspersky researchers warn
Worm spreads via infected USB drives, Microsoft warns
French adaptation and translation by Renaud Larue-Langlois
Tags: configuration, powershell, security