Ongoing PowerShell security threats prompt a call to action

The factors that make Microsoft PowerShell valuable to IT admins, such as remotely administering and diagnosing a PC, also make it useful to attackers. Many attackers, including ransomware threat actors, use PowerShell as a post-exploitation tool.

A joint cybersecurity statement Wednesday from the U.S., New Zealand and the U.K. recommended that organizations properly configure and monitor PowerShell, rather than disable the scripting language and command-line tool for Windows completely. The new report outlined security features in PowerShell to help protect common attack vectors, such as credentials and remote management configurations.

"PowerShell is essential to secure the Windows operating system, especially since newer versions have resolved previous limitations and concerns through updates and enhancements," the government agencies' cybersecurity information sheet read.

PowerShell benefits for admins and security teams include the ability to automate tasks, improve incident response and enable forensics efforts. It's also used for management purposes in Azure, Microsoft's cloud platform. However, authorities said the same extensibility, ease of use and availability that aids defenders also provides an opportunity for malicious actors who abuse PowerShell after gaining access to victim networks.

"This has prompted some net defenders to disable the Windows tool," a U.S. National Security Agency (NSA) spokesperson said in an email to SearchSecurity. "NSA and its partners advise against doing so."

The NSA did not comment on whether there's been a recent increase in PowerShell threats.

PowerShell can be integral for cybercriminals that employ "living off the land" techniques, meaning they use legitimate software and functions for malicious purposes. A January threat report by Trellix, a security vendor focused on extended detection and response, showed that PowerShell accounted for more than 40% of the native OS binaries that threat actors use.

Examples of recent attacks include one uncovered by Trend Micro in May. Researchers found that operators behind AvosLocker ransomware used PowerShell to disable antivirus software. PowerShell was also present in Iranian advanced persistent threat campaigns documented in January by multiple vendors, including Cisco Talos. Talos researchers detailed new activity by an Iranian threat group known as MuddyWater that deployed "malicious PowerShell-based downloaders acting as initial footholds into the target's enterprise."

While Talos has not done an explicit study, Matt Olney, director of Talos threat intelligence, said PowerShell likely accounts for more than one-third of critical threats to Windows networks. And one-third feels low, he added.

"PowerShell is widely used by actors, as it is installed by default on all modern Windows machines," Olney said in an email to SearchSecurity.

During an RSA Conference 2022 session by Talos on preparing defenses, PowerShell logging was among the user action recommendations. The joint cybersecurity report Wednesday also highlighted the importance of logging to detect abuse.

PowerShell abuse was particularly dominant in 2020. A McAfee report published in 2021 determined that PowerShell threats grew 208% between the third and fourth quarter of 2020. In addition, Cisco documented endpoint threats it observed for the second half of 2020; dual-use PowerShell tools had the most threats.

IT pros are advised to use application controls that would help to restrict PowerShell operations unless allowed by the admin. Authorities also advise implementing the antimalware scan interface feature, which was first available with Windows 10.

In addition, the joint cybersecurity group advises the use of multiple authentication methods in PowerShell permit use on non-Windows devices.