PowerShell attacks: how to protect yourself

Attackers aren't trying to live off the land because they don't want antivirus software to flag their attacks. They are attacking your network by using the code that already exists on your network. 

In Keeping PowerShell: Security Measures to Use and Embrace, the U.S. National Security Agency (NSA), U.S. Cybersecurity and Infrastructure Security Agency (CISA), New Zealand's NCSC, and United Kingdom's NCSC released a document. 

Don't overuse PowerShell remoting

First, decide where you want to use PowerShell remoting and where you don’t want it to be functional. Too many companies do not take the time to use the technology they have to control communication.

First, decide where PowerShell remoting should work and where it shouldn't. You can block PowerShell remoting through Group Policy or Intune. Too many companies don't utilize their technologies in this way.

When PowerShell remoting is enabled via Enable-PSRemoting, Windows Firewall automatically opens a port 5895 when PowerShell remoting is enabled. There are two rules, one for the private network profile domain and one for the public network profile domain.

Choosing “Inbound Rules” and right-clicking on each rule will enable the rule. You might also want to set this rule so that attackers cannot enable it silently. You can also enable “Firewall auditing” so that you get alerts if a firewall rule changes.  

Antimalware Scan Interface in antivirus software

Ensure that your antivirus uses the Windows Antimalware Scan Interface (AMSI) integration. Windows Defender, McAfee, and Symantec are AMSI-aware antivirus products that are supported by this technology. It can scan in-memory and dynamic file contents. 

It would be worth your time to determine whether Defender for Endpoint is an appropriate investment. It is an enhanced endpoint security platform that offers advanced threat detection, investigation, and response capabilities.

WDAC or AppLocker are good choices

Consider licensing and deploying AppLocker or Windows Defender Application Control (WDAC) for better protection. 

It is recommended to configure AppLocker or WDAC to block Windows host actions. Enabling AppLocker script enforcement blocks PowerShell commands in a script but allows them to be executed interactively. In this mode, PowerShell runs in a Constrained Language mode.

PowerShell logging enabled

By enabling logging and deep script block logging, module logging, and over-the-shoulder transcription, you can ensure that your systems are not hacked. PowerShell Script Block Logging Group Policy object (GPO) setting is 'Turn on PowerShell Script Block Logging'.

Even though Windows 7 machines do not support PowerShell 5, you can install PowerShell 5, which enables additional logging. Commands are recorded under event ID 4104.

Connecting securely to the Internet

PowerShell 7 allows remote connections over SSH (Secure Shell), which allows for public-key authentication, which is useful for networks with a combination of Windows and Linux servers.

Use PowerShell 7 as a standard

Upgrade PowerShell to the latest version. Newer versions of PowerShell offer improved security and logging capabilities. It is recommended that Windows 10 and other versions of PowerShell be disabled and uninstalled. Moreover, you should evaluate the risk associated with using older Windows operating systems.

AMSI, Constrained Language mode, Constrained Language mode with Applocker and WDAC, deep script block logging, over-the-shoulder transcription logging, module logging, and SSH remoting are available if you standardize on Windows 10 or Windows 11 and PowerShell 7.

For more stories like this

Explore our website