CISA, NSA and Other Agencies Recommend Hardening PowerShell -- Redmondmag.com

CISA, NSA and Other Agencies Recommend Hardening PowerShell

By Kurt Mackie
06/23/2022

Government cybersecurity organizations on Tuesday announced guidelines for using Microsoft's built-in PowerShell scripting language with Windows, without having it also be leveraged by attackers.

The newly released joint "Cybersecurity Information Sheet" on PowerShell (PDF) was put together by "cybersecurity authorities from the United States, New Zealand and the United Kingdom." Participants on the U.S. side included the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA).

The agencies noted that "malicious actors" use PowerShell for their attacks after first gaining network access. However, the authors stopped short of suggesting that organizations remove it. PowerShell has "defensive capabilities," too, they noted. Also, blocking PowerShell "prevents components of the Windows operating system from running properly."

Organizations, though, should uninstall PowerShell version 2 because it has security holes. More recent PowerShell versions, beginning with PowerShell version 5, have "prevention, detection and authentication capabilities" that are useful for defenders.

The security "hardening" technologies to use in conjunction with PowerShell include:

The Antimalware Scan Interface, which uses antivirus solutions to check for malicious "in-memory and dynamic file contents."
Windows Defender Application Control or AppLocker, which can be used to put PowerShell into a Constrained Language Mode and restrict PowerShell operations according to "administrator-defined policies."
Deep Script Block Logging, which provides a record of PowerShell activities.
Module Logging, which collects PowerShell "pipeline execution details."
Over-the-Shoulder Transcription, which "records every PowerShell input and output."

The authors concluded that "PowerShell is essential" to secure the Windows operating systems, and is OK to use after the problems in version 2 were addressed. PowerShell shouldn't be removed, but organizations should harden it, where possible.

Particularly on the logging and detection side, IT pros may need to take some actions to optimally secure PowerShell because they aren't enabled by default.

"Deep Script Block Logging, Module Logging, and Over-the-Shoulder transcription are disabled by default," the guide explained. "The authors recommend enabling the capabilities where feasible."

The agencies recommendations were just intended to apply to organizations running Windows, and not to Linux and macOS environments, according to a footnote in the report.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.