IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

'Embrace PowerShell for better security', say UK, US, NZ cyber authorities

The powerful automation and IT administrative tool has been used by hackers as an attack tool, but proper configuration can take the power out of their hands

National cyber security authorities in the UK, US, and New Zealand have issued guidance to IT administrators on how to use PowerShell to secure their organisations.

The three countries recommend admins “embrace” PowerShell both on-prem and in the cloud via Microsoft Azure to securely manage resources, despite fears that the tool can be used by hackers after initially exploiting a business.

Related Resource

Secure hybrid cloud for dummies

Accelerate transformation with hybrid cloud

Whitepaper cover with cartoon man's face wearing glasses in yellow circle with blue, black and yellow colour block backgroundFree Download

PowerShell is both a scripting language and command line tool that ships with Windows as standard. It can help admins run automated commands and apply configurations en masse, as well as assist cyber forensics and improve incident response, the authorities said.

Some admins have considered blocking the use of PowerShell in their IT environments as a consequence of the threat it presents if hackers breach their systems.

The cyber authorities instead recommend securing PowerShell itself so it can be used as a powerful security tool without concern of abuse.

“Blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide, and prevents components of the Windows operating system from running properly,” the advisory read.

“Recent versions of PowerShell with improved capabilities and options can assist defenders in countering abuse of PowerShell.”

While PowerShell 7.2 is the latest release, version 5.1 is shipped as standard in Windows 10 and newer. The authorities said that with proper configuration, organisations can keep the same scripts, modules, and commands after upgrading to the latest version.

Among the list of recommendations to combat abuse is the proper use of PowerShell remoting to prevent exposing credentials to remote hosts and to protect the organisation’s network.

PowerShell’s antimalware scan interface (AMSI) feature is also recommended for use in conjunction with third-party anti-virus products like Windows Defender and McAfee Total Protection. AMSI can scan scripts and detect if they are malicious in nature before they are executed.

There are also a number of techniques admins can use to detect abuse when used routinely. Deep Script Block Logging (DSBL) records every PowerShell command and also has the power to log hidden malicious PowerShell activities.

When DSBL is used in conjunction with module logging and over-the-shoulder transcription, three features that are disabled by default, admins can unearth potential abuses of the PowerShell tool.

The full list of recommendations for admins looking to secure and continue to benefit from PowerShell can be found in the security advisory.

The cyber authorities said PowerShell is “essential” to secure Windows properly, and that newer versions of the tool have eliminated shortcomings and limitations of older builds.

“Removing or improperly restricting PowerShell would prevent administrators and defenders from utilising PowerShell to assist with system maintenance, forensics, automation, and security,” said the authorities.

“PowerShell, along with its administrative abilities and security measures, should be managed properly and adopted.”

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022