By Keren Pollack, on October 12th, 2020

PowerShell is a built-in scripting language and a command-line executor developed by Microsoft to provide a better interface for system administrators to simplify and automate administrative tasks.

PowerShell’s power makes it a useful tool for attackers for fileless attacks that are hard to prevent and detect.

 

 

PowerShell is known for having significant activity-logging capabilities, that can be used to detect and mitigate against the abuse of this tool on one hand, but can be leveraged by attackers, on the other hand. The following rule demonstrates this situation exactly.

 

Basic Steps for powershell attacks prevention

POLICY DESCRIPTION:

when enabling this setting, you’ll generate logs when scripts blocks are invoked.

 

POTENTIAL VULNERABILITY:

Microsoft’s hardening guidance recommends enabling this value, in order to improve the investigation of PowerShell attack incidents. However, setting this value will allow any logged-on user (Interactive User) to read it. This can be a security flaw as it can expose passwords and other sensitive information to malicious users that intrude on the network.

 

This should be used only for debugging purposes, and not in normal operations.

 

COUNTERMEASURES:

Set this value to ‘Disabled’

 

POTENTIAL IMPACT:

Logging of PowerShell script will be prevented.

 

DEFAULT VALUE:

Enabled

 

Restrict NTLM: Audit Incoming NTLM Traffic- The Policy Expert

CALCOM’S RECOMMENDED VALUE:

Disabled

 

Note: while the CIS recommends setting this rule to Disabled, STIG recommends enabling this option.

 

HOW TO CONFIGURE THE SECURITY EVENT LOG:

Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> “Turn on PowerShell Script Block Logging” to “Disabled”.