IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

'Embrace PowerShell for better security', say UK, US, NZ cyber authorities

The powerful automation and IT administrative tool has been used by hackers as an attack tool, but proper configuration can take the power out of their hands

National cyber security authorities in the UK, US, and New Zealand have issued guidance to IT administrators on how to use PowerShell to secure their organisations.

The three countries recommend admins “embrace” PowerShell both on-prem and in the cloud via Microsoft Azure to securely manage resources, despite fears that the tool can be used by hackers after initially exploiting a business.

Related Resource

Secure hybrid cloud for dummies

Accelerate transformation with hybrid cloud

Whitepaper cover with cartoon man's face wearing glasses in yellow circle with blue, black and yellow colour block backgroundFree Download

PowerShell is both a scripting language and command line tool that ships with Windows as standard. It can help admins run automated commands and apply configurations en masse, as well as assist cyber forensics and improve incident response, the authorities said.

Some admins have considered blocking the use of PowerShell in their IT environments as a consequence of the threat it presents if hackers breach their systems.

The cyber authorities instead recommend securing PowerShell itself so it can be used as a powerful security tool without concern of abuse.

“Blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide, and prevents components of the Windows operating system from running properly,” the advisory read.

“Recent versions of PowerShell with improved capabilities and options can assist defenders in countering abuse of PowerShell.”

While PowerShell 7.2 is the latest release, version 5.1 is shipped as standard in Windows 10 and newer. The authorities said that with proper configuration, organisations can keep the same scripts, modules, and commands after upgrading to the latest version.

Among the list of recommendations to combat abuse is the proper use of PowerShell remoting to prevent exposing credentials to remote hosts and to protect the organisation’s network.

PowerShell’s antimalware scan interface (AMSI) feature is also recommended for use in conjunction with third-party anti-virus products like Windows Defender and McAfee Total Protection. AMSI can scan scripts and detect if they are malicious in nature before they are executed.

There are also a number of techniques admins can use to detect abuse when used routinely. Deep Script Block Logging (DSBL) records every PowerShell command and also has the power to log hidden malicious PowerShell activities.

When DSBL is used in conjunction with module logging and over-the-shoulder transcription, three features that are disabled by default, admins can unearth potential abuses of the PowerShell tool.

The full list of recommendations for admins looking to secure and continue to benefit from PowerShell can be found in the security advisory.

The cyber authorities said PowerShell is “essential” to secure Windows properly, and that newer versions of the tool have eliminated shortcomings and limitations of older builds.

“Removing or improperly restricting PowerShell would prevent administrators and defenders from utilising PowerShell to assist with system maintenance, forensics, automation, and security,” said the authorities.

“PowerShell, along with its administrative abilities and security measures, should be managed properly and adopted.”

Featured Resources

What 2023 will mean for the industry

What do most IT decision makers really think will be the important trends and challenges in the coming year?

Free Download

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Free Download

IDC MarketScape: Worldwide unified endpoint management services

2022 vendor assessment

Free Download

Magic quadrant for application performance monitoring and observability

Enabling continuous updating of diverse & dynamic application environments

View Now

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
European partners expect growth this year, here are three ways they will achieve it
Sponsored

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023