Factors that make Microsoft Powershell valuable to the IT administrator, such as remote PC administration and diagnostics, also make it useful to attackers.
Many attackers, including ransomware threat actors, use PowerShell as a post-exploitation tool.
A joint cybersecurity statement issued Wednesday by the United States, New Zealand, and the United Kingdom recommended organizations properly configure and monitor PowerShell, rather than completely disabling the scripting language and line tool. command for Windows. The new report describes PowerShell security features to help protect common attack vectors such as credentials and remote management configurations.
“PowerShell is essential for securing the Windows operating system, especially as newer versions have addressed previous limitations and issues through updates and enhancements,” says the Microsoft Cybersecurity Fact Sheet. government agencies.
The benefits of Powershell for administrators and security teams include the ability to automate tasks, improve incident response, and enable investigative efforts. It is also used for management purposes in Azure, Microsoft’s cloud platform.
However, authorities said the same extensibility, ease of use and availability that helps defenders also provides an opportunity for malicious actors who abuse PowerShell after gaining access to victim networks.
“This has prompted some net advocates to disable the Windows tool,” a spokesperson for the US National Security Agency (NSA) said in an email to SearchSecurity. “The NSA and its partners advise against doing so.”
The NSA did not say whether there has been a recent increase in PowerShell threats.
PowerShell can be an integral part of cybercriminals who use “live off the land” techniques, meaning they use legitimate software and functions for malicious purposes. A threat report from XDR-focused security vendor Trellix in January showed that PowerShell accounted for more than 40% of native operating system binaries used by threat actors.
Examples of recent attacks include one discovered by Trend Micro in May. Researchers found that operators behind AvosLocker ransomware used PowerShell to disable antivirus software. PowerShell was also present in the Iranian APT campaigns documented in January by several vendors, including Cisco Talos. Talos researchers detailed new activity from an Iranian threat group known as MuddyWater that deployed “powershell-based malicious downloaders that act as initial anchors in the target’s enterprise.”
Although Talos hasn’t done an explicit study, Matt Olney, director of Talos Threat Intelligence, said PowerShell likely accounts for more than a third of critical threats on Windows networks. A third feel weak, he said.
“PowerShell is widely used by actors, as it’s installed by default on all modern Windows machines,” Olney said in an email to SearchSecurity.
During a Cisco Talos RSA 2022 conference session on preparing defenses, PowerShell logging was among the recommendations for user action. Wednesday’s joint cybersecurity report also highlighted the importance of logging to detect abuse.
PowerShell abuse was particularly prevalent in 2020. A McAfee report released in 2021 determined that PowerShell threats increased by 208% between the third and fourth quarters of 2020. Additionally, Cisco documented endpoint threats that it observed for the second half of 2020. threats.
IT professionals are advised to use application controls to block actions on a Windows host that would restrict PowerShell operations unless authorized by the administrator. Authorities also advise implementing the antimalware scanning interface feature, which was first available on Windows 10.
Additionally, the Joint Cybersecurity Group advises the use of multiple authentication methods in PowerShell to enable use on non-Windows devices.