National cyber security authorities in the UK, US, and New Zealand have issued guidance to IT administrators on how to use PowerShell to secure their organisations.
The three countries recommend admins “embrace” PowerShell both on-prem and in the cloud via Microsoft Azure to securely manage resources, despite fears that the tool can be used by hackers after initially exploiting a business.
PowerShell is both a scripting language and command line tool that ships with Windows as standard. It can help admins run automated commands and apply configurations en masse, as well as assist cyber forensics and improve incident response, the authorities said.
Some admins have considered blocking the use of PowerShell in their IT environments as a consequence of the threat it presents if hackers breach their systems.
The cyber authorities instead recommend securing PowerShell itself so it can be used as a powerful security tool without concern of abuse.
“Blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide, and prevents components of the Windows operating system from running properly,” the advisory read.
“Recent versions of PowerShell with improved capabilities and options can assist defenders in countering abuse of PowerShell.”
While PowerShell 7.2 is the latest release, version 5.1 is shipped as standard in Windows 10 and newer. The authorities said that with proper configuration, organisations can keep the same scripts, modules, and commands after upgrading to the latest version.
Among the list of recommendations to combat abuse is the proper use of PowerShell remoting to prevent exposing credentials to remote hosts and to protect the organisation’s network.
PowerShell’s antimalware scan interface (AMSI) feature is also recommended for use in conjunction with third-party anti-virus products like Windows Defender and McAfee Total Protection. AMSI can scan scripts and detect if they are malicious in nature before they are executed.
There are also a number of techniques admins can use to detect abuse when used routinely. Deep Script Block Logging (DSBL) records every PowerShell command and also has the power to log hidden malicious PowerShell activities.
When DSBL is used in conjunction with module logging and over-the-shoulder transcription, three features that are disabled by default, admins can unearth potential abuses of the PowerShell tool.
The full list of recommendations for admins looking to secure and continue to benefit from PowerShell can be found in the security advisory.
The cyber authorities said PowerShell is “essential” to secure Windows properly, and that newer versions of the tool have eliminated shortcomings and limitations of older builds.
“Removing or improperly restricting PowerShell would prevent administrators and defenders from utilising PowerShell to assist with system maintenance, forensics, automation, and security,” said the authorities.
“PowerShell, along with its administrative abilities and security measures, should be managed properly and adopted.”
