Windows PowerShell is a powerful scripting language and a command-line executor developed by Microsoft to provide a better interface for system administrators to simplify managing and automating administrative tasks. PowerShell was launched in 2006 and has been a standard feature of the Windows operating system (OS) since Windows 7, enabling system administrators to simplify and automate administrative tasks while following essential security best practices.
PowerShell provides entry to the device's core including Windows application programming interface (APIs), Windows Management Instrumentation (WMI), Component Object Model (COM), and the .NET framework. In addition, it can be run locally or across the network using the Windows Remote Manager (WinRM) feature, enhancing its security features.
The deep access that PowerShell provides to its user is mandatory to fulfill its use cases, but can also be a severe security flaw when leveraged by malicious actors.
In 2016, the Massachusetts Institute of Technology (MIT) released PowerShell 6.0 version as an open-source, to encourage usage in this tool. This move led to a significant increase in the malicious use of PowerShell.
This blog post will cover:
- PowerShell security disadvantages
- How to use PowerShell to elevate the security
- PowerShell security solution
PowerShell Security Disadvantages:
PowerShell is not less secure than other Microsoft Windows scripting environments, but its convenient interface will ease the task of manipulating the OS after the attacker gained access.
PowerShell allows code to be injected from the PowerShell environment memory into other processes without dropping malicious code to disk. It means that the attacker can harm the network without using external files. By doing so, the attacker can bypass many security protections leading this type of attack to be stealthier than other types of attacks. Furthermore, the attacker can use PowerShell to enhance the obfuscation of the attack to increase stealth.
It is important to note that the fact an attacker can use PowerShell is not due to any security vulnerability, rather it is due to its tight integration with the .NET framework.
Using PowerShell to elevate security:
PowerShell's security disadvantages may lead to the desire to rethink using it. But the other side of the equation must be presented before you make this decision. Using PowerShell for administrating your environment also has security benefits for your organization, including enhanced security features and the ability to implement signed scripts for better control:
- Using PowerShell in combination with WinRM for remote access will reduce the need of admins to use Remote Desktop Protocol (RDP) to log in to remote workstations and servers, simplifying the execution of PowerShell scripts and administrative tasks. RDP is a common attack vector and can expose organizations to severe attack techniques, such as Pass-the-Hash.
- A common and GUI friendly framework for administrating an environment will allow better administration. Reducing the complexity of controlling network configurations will lead to a reduction of security risks associated with misconfiguration.
- PowerShell version 7.3 The following are some of the new features, updates, and breaking changes in PowerShell 7.3:
- Tab completion improvements: PowerShell 7.3 includes PSReadline 2.2.6, which enables Predictive IntelliSense by default.
- Improved error handling
- Session and remoting improvements
- Clean block to script block: A new clean block has been added to script block as a peer to begin, process, and end to allow easy resource cleanup.
- Hashtable completion improvement: Improved Hashtable completion in multiple scenarios.
- Type inference support for generic methods with type parameters
- Type inference and completions improvement
PowerShell’s Security Solution:
The best way to approach this issue is not by disabling PowerShell, but by looking to mitigate its known security risks. Security practitioners should stay updated on how attackers can use PowerShell and use the tools available, including Windows Defender Application Control, to prevent and detect malevolent activities.
Securing PowerShell by implementing hardening actions and utilizing Configuration Manager are both parts of a holistic approach to server and workstation security. By modifying and controlling PowerShell configurations, you can protect your organization from the security risks that PowerShell imposes, while still using it as an administrative tool that can elevate your organization's security.