PowerShell is Top Attack Vector for Critical Security Threats: Research
PowerShell was the source of more than a third of critical security threats detected by Cisco Secure Endpoint in the second half of 2020.
Dual-use tool exploitation was the top threat category detected by Cisco, followed by ransomware, fileless malware, and credential dumping, with PowerShell a primary vector in those last two categories also.
Ransomware has been in the headlines quite a bit, thanks to the devastating Colonial Pipeline attack, but it’s important for server admins to note that PowerShell is a significantly more common attack vector.
Cisco Secure Endpoint is an endpoint detection and response (EDR) tool, which can monitor endpoints like servers and PCs and respond to security breaches. Cisco recommends a number of protection steps that are, naturally, made easier with Cisco Secure Endpoint, and other EDR tools are also generally effective against PowerShell exploits.
PowerShell security steps
There are a number of steps admins can (and should) take that are completely free, like preventing or restricting PowerShell execution in non-admin accounts, allowing execution of signed scripts only, and using Constrained Language mode.
The Center for Internet Security offers a number of steps admins can take to help secure PowerShell.
Only network admins and other IT pros need access to the Microsoft command-line interface tool, CIS notes, so prevent or restrict its execution and allow execution of signed scripts only. Disable or restrict Windows Remote Management too.
CIS includes a tutorial for for managing Script Execution in Group Policy Settings.
To Turn on Script Execution in Group Policy settings:
- Click Start Menu > Control Panel > System and Security > Administrative Tools
- Create or Edit Group Policy Objects > Windows PowerShell > Turn on Script Execution
To Turn on Script Execution policy settings:
- Disabling Turn on Script Execution will mean that scripts do not run and PowerShell is disabled
- If you enable Turn on Script Execution, you can select the execution policy Allow only signed scripts
Digital risk management vendor Digital Shadows also offers a number of PowerShell security tips, including using Constrained Language mode, and NetSPI discusses 15 ways that PowerShell execution policies can be bypassed. PowerShell Protect is a downloadable tool that integrates with the Antimalware Scan Interface to audit and block scripts before they execute.