NSA Advises On How To Secure Windows Devices With PowerShell

NSA Advises On How To Secure Windows Devices With PowerShell

Helga Smith

The National Security Agency (NSA) and several other cyber security partner agencies recently shared an advisory where they recommended to system administrators to use PowerShell in order to prevent and also detect all the malicious activities going on any Windows machine.

PowerShell is Microsoft’s automation and configuration tool that often gets abused by threat actors mostly at stages where there’s already been gained access to the targeted system. But according to the advisory, defenders can actually have some benefits from the tool in terms of enhancing their incident responses, automating some repetitive tasks and helping with forensic efforts.

The NSA and cyber security centers in the U.S. (CISA), New Zealand (NZ NCSC), and the U.K. (NCSC-UK) issued a mutual advisory consisting of several recommendations on how to use PowerShell in counteracting cyber threats successfully with it instead of removing or disabling the tool.

“Blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide, and prevents components of the Windows operating system from running properly. Recent versions of PowerShell with improved capabilities and options can assist defenders in countering abuse of PowerShell” goes in an advisory.

PowerShell can help to detect its malicious exploitation

Among the many advises the report gives one of them is to record PowerShell activity and also monitor the logs. The recommendation implies that such actions should help in an early detection of signs of potential PowerShell abuse.

In the report it is proposed to turn on features like Over-the-Shoulder transcription (OTS), Module Logging and Deep Script Block Logging (DSBL).

Deep Script Block Logging (DSBL) and Module Logging will build a complete database of logs that further can be used for detection of suspicious or malicious activity of PowerShell tools. The features will also include scripts that have been used in the process and hidden actions/ commands.

NSA Advises On How To Secure Windows Devices With PowerShell
Different security features that is present in PowerShell versions

OTS or Over-the-Shoulder transcription will help to record all PowerShell input or output;. an action that should show what threat actor’s next moves could be.

PowerShell can lower its own risk of abuse

Here it is noted that to reduce the risk of PowerShell abuse the tool needs to be leveraged in its capabilities and in such frameworks as PowerShell remoting. PowerShell remoting won’t expose plain-text credentials when there would be commands that are executed remotely on Windows hosts.

One thing to add here is that administrators should also be aware that if this feature is enabled on some private network Windows Firewall automatically receives a rule that will permit all new connections.

But to customize Windows Firewall to allow connections only from trusted endpoints and networks will help to deter threat actor’s lateral movement across the network.

Concerning remote connections agencies recommend to use the Secure Shell protocol (SSH) which is supported in PowerShell 7.

One last main recommendation was also to use Windows Defender Application Control (WDAC) or AppLocker to set the tool into Constrained Language Mode (CLM) and so to deny all operations outside administrator’s policies.

“Proper configuration of WDAC or AppLocker on Windows 10+ helps to prevent a malicious actor from gaining full control over a PowerShell session and the host” also goes in the report.

To read the full advisory which is titled “Keeping PowerShell: Security Measures to Use and Embrace” you can here [PDF].

ExploitsMicrosoftPowerShell

0 Comments

Leave a Reply

More great articles

Dogecoin scam

Dogecoin scam: how and why

Dogecoin scam is a kind of online fraud, which is based on the manipulation with cryptocurrencies. It appears as an…

Read Story
Google membership rewards scam

Google membership rewards scam – Mar’21 update

Last time, a lot of online scamming pages appeared.  Google membership rewards scam is right among them. This website states…

Read Story
Pornographic virus

Pornographic Virus Alert From Microsoft: What is it All About?

Pornographic virus alert from Microsoft is another variation of online scam, which is caused by viruses. On this page, you…

Read Story
Arrow-up