Cybersecurity Agencies Recommend Using PowerShell to Improve Forensics and Incident Response

Windows PowerShell is a useful and powerful scripting language and configuration management tool that can be used by Windows and system administrators for creating scripts to automate tasks. PowerShell is also extremely useful to cyber threat actors, who often abuse PowerShell after gaining access to victims’ networks. By using PowerShell, they don’t have to download their own toolsets and can hide their malicious activity.

The usefulness of PowerShell to cyber threat actors has prompted some security professionals to consider removing the tool altogether; however, that would be a mistake, according to the National Security Agency (NSA) and the UK and New Zealand cybersecurity agencies, who in a recent advisory have recommended keeping PowerShell and using it to prevent and detect malicious activity on Windows devices.

One of the key benefits of PowerShell is it can be used to improve forensics and incident response and removing the tool entirely would prevent legitimate use of its defensive capabilities.  The removal of PowerShell can also prevent certain components of the Windows operating system from working properly. Instead, proper use of PowerShell, including activating features that are not enabled by default by Microsoft, can help to improve security and reduce the potential for malicious use.

PowerShell was first introduced with Windows Vista and has seen several updates over the years. The latest version, PowerShell 7.2, has had several security measures enhanced including its prevention, detection, and authentication capabilities in response to misuse of the tool by cyber threat actors, and this is the version that should be installed and used, rather than the 5.x versions that were shipped with some Windows 10 editions.

PowerShell remoting enables administrators, cybersecurity analysts, and users to remotely execute commands on Windows hosts, and uses Windows Remote Management (WinRM) along with Kerberos or New Technology LAN Manager (NTLM) as the default authentication protocols, and does not send credentials to remote hosts, avoiding their exposure when executing commands on remote hosts.

If this feature is enabled on private networks, a firewall rule is set up to allow all connections, so it is recommended to only permit connections from trusted endpoints to reduce the potential for PowerShell to be misused, such as for lateral movement. It is also recommended to use SSH for remoteing as it is more secure, and to enable the Deep Script Block Logging, Module Logging, and Over-the-Shoulder logging tools to help detect abuses of PowerShell.

Users should also reduce PowerShell operations and leverage Applocker or Windows Defender Application Control to force PowerShell to operate in Constrained Language Mode (CLM), as this will restrict PowerShell operations to those specifically allowed by administrator-defined policies.

You can read the cybersecurity advisory and guidance here.

Author: NetSec Editor