'Embrace PowerShell for better security', say UK, US, NZ cyber authorities
The powerful automation and IT administrative tool has been used by hackers as an attack tool, but proper configuration can take the power out of their hands
National cyber security authorities in the UK, US, and New Zealand have issued guidance to IT administrators on how to use PowerShell to secure their organisations.
The three countries recommend admins “embrace” PowerShell both on-prem and in the cloud via Microsoft Azure to securely manage resources, despite fears that the tool can be used by hackers after initially exploiting a business.
PowerShell is both a scripting language and command line tool that ships with Windows as standard. It can help admins run automated commands and apply configurations en masse, as well as assist cyber forensics and improve incident response, the authorities said.
Some admins have considered blocking the use of PowerShell in their IT environments as a consequence of the threat it presents if hackers breach their systems.
The cyber authorities instead recommend securing PowerShell itself so it can be used as a powerful security tool without concern of abuse.
“Blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide, and prevents components of the Windows operating system from running properly,” the advisory read.
“Recent versions of PowerShell with improved capabilities and options can assist defenders in countering abuse of PowerShell.”
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
While PowerShell 7.2 is the latest release, version 5.1 is shipped as standard in Windows 10 and newer. The authorities said that with proper configuration, organisations can keep the same scripts, modules, and commands after upgrading to the latest version.
Among the list of recommendations to combat abuse is the proper use of PowerShell remoting to prevent exposing credentials to remote hosts and to protect the organisation’s network.
PowerShell’s antimalware scan interface (AMSI) feature is also recommended for use in conjunction with third-party anti-virus products like Windows Defender and McAfee Total Protection. AMSI can scan scripts and detect if they are malicious in nature before they are executed.
There are also a number of techniques admins can use to detect abuse when used routinely. Deep Script Block Logging (DSBL) records every PowerShell command and also has the power to log hidden malicious PowerShell activities.
When DSBL is used in conjunction with module logging and over-the-shoulder transcription, three features that are disabled by default, admins can unearth potential abuses of the PowerShell tool.
The full list of recommendations for admins looking to secure and continue to benefit from PowerShell can be found in the security advisory.
The cyber authorities said PowerShell is “essential” to secure Windows properly, and that newer versions of the tool have eliminated shortcomings and limitations of older builds.
“Removing or improperly restricting PowerShell would prevent administrators and defenders from utilising PowerShell to assist with system maintenance, forensics, automation, and security,” said the authorities.
“PowerShell, along with its administrative abilities and security measures, should be managed properly and adopted.”
Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.