The security industry is ablaze with news about how PowerShell is being used by both commodity malware and attackers alike. Surely there’s got to be a way to defend yourself against these attacks!
There absolutely is. PowerShell is – by far – the most securable and security-transparent shell, scripting language, or programming language available.
Our recommendations are:
- Deploy PowerShell v5, built into Windows 10. Alternatively, you can deploy the Windows Management Framework, available down to and including Windows 7 / Windows Server 2008r2.
- Enable, and collect PowerShell logs, optionally including Protected Event Logging. Incorporate these logs into your signatures, hunting, and incident response workflows.
- Implement Just Enough Administration on high-value systems to eliminate or reduce unconstrained administrative access to those systems.
- Deploy Device Guard / Application Control policies to allow pre-approved administrative tasks to use the full capability of the PowerShell language, while limiting interactive and unapproved use to a limited subset of the PowerShell language.
- Deploy Windows 10 to give your antivirus provider full access to all content (including content generated or de-obfuscated at runtime) processed by Windows Scripting Hosts including PowerShell.
For further information about these steps and solutions, please see the much more detailed presentation: “Defending Against PowerShell Attacks“.
You can also download the slide deck used for this video: Defending-Against-PowerShell-Attacks.
For further details about PowerShell’s Security features, please see our post: PowerShell ♥ the Blue Team.
For further details about implementing Just Enough Administration, please see http://aka.ms/jeadocs.
Lee Holmes [MSFT]
Lead Security Architect