Cybercriminals have been exploiting the weaknesses of the Windows PowerShell scripting utility for decades. But cyber intelligence agencies in the US, UK and New Zealand say disabling it isn’t the solution.
Instead, they say in a recently released report, proper setup and monitoring will reduce the likelihood of malicious actors using it undetected after gaining access to a victim’s network.
“Blocking PowerShell hampers the defensive capabilities that current versions of PowerShell can provide,” the warning reads, “and prevents Windows operating system components from functioning properly. Recent versions of PowerShell with improved features and options can help defenders to counter PowerShell abuses. “
Windows administrators need to install PowerShell 7.2 first, if they haven’t already. On Windows 10+, with proper configuration, version 7.2 can fully integrate and access all components built for version 5.1 (shipped in previous versions of Windows 10 and 11), allowing continued use of scripts, forms and orders existing.
The report urges administrators to take advantage of these PowerShell features:
- If remote access is allowed, use Windows Remote Management (WinRM). Uses Kerberos or New Technology LAN Manager (NTLM) as the default authentication protocols. These authentication protocols do not send actual credentials to remote hosts, thus avoiding direct exposure of credentials and the risk of theft due to leaked credentials.
PowerShell 7 allows remote connections via Secure Shell (SSH) in addition to supporting WinRM connections. This enables public key authentication and makes remote management of machines via PowerShell convenient and secure, the report adds. The new SSH remoting features in PowerShell can establish remote connections without requiring the use of Hypertext Transfer Protocol Secure (HTTPS) with Secure Sockets Layer / Transport Layer Security (SSL / TLS) certificates.
Windows firewall rules on endpoints must be configured appropriately to control allowed connections. Enabling PowerShell remote management on private networks will introduce a Windows Firewall rule to accept all connections. Windows Firewall authorization requirements and rules are customizable to restrict connections to only trusted endpoints and networks to reduce sideways travel opportunities.
- Enable Anti-Malware Scanning Interface (AMSI), which allows you to scan the contents of in-memory and dynamic files using an approved antivirus product such as Windows Defender, McAfee (now Trellix), or Symantec.
- Configure AppLocker or Windows Defender Application Control (WDAC) to block actions on a Windows host. This will cause PowerShell to work in Constrained Language (CLM) mode, limiting PowerShell operations unless allowed by administrator-defined policies;
The report also notes that PowerShell activity logging can log when cyber threats take advantage of PowerShell, and continuous monitoring of PowerShell logs can detect and report potential abuse. Unfortunately, “Deep Script Block Registration”, “Form Registration” and “Over-the-Shoulder Transcribe” features are disabled by default. The report recommends enabling them whenever possible.
There are many other sources of information about PowerShell security, including recommendations from Internet Security Center and of Microsoft.
The original article is available at IT world Canadaa sister publication of IT management.
Low cybersecurity maturity of Canadian companies
A backdoor into Microsoft’s IIS web server, Kaspersky researchers warn
The worm spreads via infected USB drives, Microsoft warns
Adapted and translated into French by Renaud Larue-Langlois
Tags: configuration, powershell, security