Cybercriminals have taken advantage of weaknesses in the Windows PowerShell scripting utility for decades. But cyber intelligence agencies in the US, UK and New Zealand say disabling it is not the solution.
Instead, they say in a recently published report, proper configuration and monitoring will reduce the likelihood of malicious actors using it undetected after gaining access to a victim’s network.
“PowerShell blocking hinders the defensive capabilities that current versions of PowerShell can provide,” the advisory says, “and prevents components of the Windows operating system from working properly. Recent versions of PowerShell with enhanced capabilities and options can help defenders counter PowerShell abuse. »
Windows administrators should first install PowerShell 7.2 if they haven’t already. On Windows 10+, with proper configuration, version 7.2 can fully integrate with and access all components built for version 5.1 (included in earlier versions of Windows 10 and 11), allowing continued use of scripts, modules, and existing orders.
The report urges administrators to take advantage of these PowerShell features:
- If remote access is allowed, use Windows Remote Management (WinRM). It uses Kerberos or New Technology LAN Manager (NTLM) as default authentication protocols. These authentication protocols do not send actual credentials to remote hosts, which prevents direct credential exposure and the risk of theft through leaked credentials.
PowerShell 7 allows remote connections through Secure Shell (SSH) in addition to supporting WinRM connections. This enables public key authentication and makes remote machine management via PowerShell convenient and secure, the report adds. The new SSH remoting features in PowerShell can establish remote connections without requiring the use of Hypertext Transfer Protocol Secure (HTTPS) with Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.
Windows firewall rules on endpoints must be configured appropriately to control allowed connections. Enabling PowerShell remoting on private networks will introduce a Windows Firewall rule to accept all connections. Authorization requirements and Windows Firewall rules can be customized to limit connections to only trusted endpoints and networks to reduce opportunities for lateral movement.
- Enable the Antimalware Scanning Interface (AMSI), which allows you to scan the contents of dynamic and in-memory files using an approved antivirus product, such as Windows Defender, McAfee (now Trellix), or Symantec.
- Configure AppLocker or Windows Defender Application Control (WDAC) to block actions on a Windows host. This will cause PowerShell to work in restricted language mode (CLM), which will limit PowerShell operations unless allowed by administrator-defined policies;
The report also notes that PowerShell activity logging can record when cyber threats exploit PowerShell, and continuous monitoring of PowerShell logs can detect and alert on potential abuse. Unfortunately, the “Deep Script Block Logging”, “Module Logging” and “Over the Shoulder Transcription” features are disabled by default. The report recommends enabling them when possible.
There are many other sources of information on how to secure PowerShell, including tips from Internet Safety Center Y Microsoft.
The original article is available at IT World Canadaa sister publication to computer address.
Low cybersecurity maturity of Canadian companies
A backdoor in Microsoft’s IIS web server, Kaspersky researchers warn
Worm spreads via infected USB drives, Microsoft warns
Adaptation and French translation by Renaud Larue-Langlois
Tags: configuration, powershell, security
#leave #PowerShell #configured #correctly #Department #News