By Keren Pollack, on September 22nd, 2020

PowerShell is a scripting language and a command-line executor developed by Microsoft to provide a better interface for system administrators to simplify and automate administrative tasks. PowerShell was launched in 2006 and has been a standard feature of the Windows operating system (OS) since Windows 7.

 

PowerShell provides entry to the device’s core including Windows application programming interface (APIs), Windows Management Instrumentation (WMI), Component Object Model (COM), and the .NET framework. In addition, it can be run locally or across the network using the Windows Remote Manager (WinRM) feature.

 

The deep access that PowerShell provides to its user is mandatory to fulfill its use cases, but can also be a severe security flaw when leveraged by malicious actors.

 

In 2016, the Massachusetts Institute of Technology (MIT) released PowerShell 6.0 version as an open-source, to encourage usage in this tool. This move led to a significant increase in the malicious use of PowerShell.

 

PowerShell Security Disadvantages:

PowerShell is not less secure than other Microsoft Windows scripting environments, but its convenient interface will ease the task of manipulating the OS after the attacker gained access.

 

PowerShell allows code to be injected from the PowerShell environment memory into other processes without dropping malicious code to disk. It means that the attacker can harm the network without using external files. By doing so, the attacker can bypass many security protections leading this type of attack to be stealthier than other types of attacks. Furthermore, the attacker can use PowerShell to enhance the obfuscation of the attack to increase stealth.

 

It is important to note that the fact an attacker can use PowerShell is not due to any security vulnerability, rather it is due to its tight integration with the .NET framework.

The different stages of a PowerShell attack

Using PowerShell to elevate security:

PowerShell’s security disadvantages may lead to the desire to rethink using it. But the other side of the equation must be presented before you make this decision. Using PowerShell for administrating your environment has also security benefits for your organization:

 

  1. Using PowerShell in combination with WinRM for remote access will reduce the need of admins to use Remote Desktop Protocol (RDP) to log in to remote workstations and servers. RDP is a common attack vector and can expose organizations to severe attack techniques, such as Pass-the-Hash.
  2. A common and GUI friendly framework for administrating an environment will allow better administration. Reducing the complexity of controlling network configurations will lead to a reduction of security risks associated with misconfiguration.
  3. PowerShell version 5.0 has powerful logging options that allow the organization to analyze and detect malicious activity. By using this ability, an attacker can be detected far more easily than before.

 

PowerShell’s Security Solution:

The best way to approach this issue is not by disabling PowerShell, but by looking to mitigate its known security risks. Security practitioners should stay updated on how attackers can use PowerShell and use the tools available to prevent and detect malevolent activities.

 

Securing PowerShell by implementing hardening actions is part of a holistic approach of servers and workstations security. By modifying and controlling PowerShell configurations, you can protect your organization from the security risks that PowerShell imposes, while still using it as an administrative tool that can elevate your organization’s security.

 

Basic Steps for powershell attacks prevention