Guide | How To How do you secure PowerShell?

The associated guide may contain user-generated or external content.
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
I noticed that many users are interested in securing Windows Home from PowerShell attacks. There are a few ways to do it, using GPO, reg tweaks or SRP.

A. Disabling PowerShell script execution by reg tweak (Windows 7+):
[HKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Windows\PowerShell]
"EnableScripts"=dword:00000000
The above reg tweak can stop known PowerShell bypass (paths omitted for simplicity):
powershell.exe "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'malware.ps1'"
etc.
The user can still run scripts from PowerShell console, for example (paths omitted for simplicity):
Get-Content helloworld.ps1 | PowerShell.exe -noprofile -

B. Restricting PowerShell by reg tweak to Constrained Language mode (PowerShell v.3.0 or later).
Constrained language mode locks down PowerShell to the core elements (no access to: direct .NET scripting, invocation of Win32 APIs via the Add-Type cmdlet, and interaction with COM objects).
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
"__PSLockDownPolicy"="4"

C. Using Default Deny Software Restriction Policies with Enforcement setting 'All software files' or 'All software files except libraries (such as Dlls)'. Scripts can be run with Administrative Rights when SRP are applied to 'All users except local administrators'.
  1. Adding PowerShell extensions to 'Designated File Types' list.
    This can disable script execution when using Windows Explorer or Internet Explorer, by clicking PowerShell script or choosing 'Run with PowerShell' from the right click context menu.
    The script can still be executed when using commands with sponsors (PowerShell.exe, PowerShell_ise.exe):
    powershell.exe "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'malware.ps1'"
    etc.
  2. Adding Disallowed rule '*.PS1' (or similar rules for other extensions). This can stop all examples of script execution from C.1. - PowerShell console is accessible as standard user. PowerShell still exists in the System.Management.Automation.dll (System.Management.Automation.ni.dll) and can be executed through a memory exploit to run scripts with nonstandard extensions.
  3. Applying Disallowed rules to powershell.exe and powershell_ise.exe . This can stop all examples of script execution from C.1. - PowerShell console is not accessible as standard user. PowerShell still exists in the System.Management.Automation.dll (System.Management.Automation.ni.dll) and can be executed through a memory exploit.
  4. When SRP Default Security Level: 'Disallowed' or 'Basic User' is applied and the enforcement is set to apply to ‘All users except local administrators’, then PowerShell (as standard user) is set to Constrained Language Mode (in Windows 7+ with installed PowerShell 5+). This can stop many malware scripts and exploit tools. In Windows 7, one should have .NET Framework 4.5.2 installed, and then install WMF 5.1: Install and configure WMF 5.1 . Whitelisted locations in SRP, do not change Constrained Language Mode setting. When PowerShell is run as administrator the Language mode is set to FullLanguage.
.
Post edited to add System.Management.Automation.ni.dll .
There is a way to bypass __PSLockDownPolicy, but this can be prevented when using it with Disabling PowerShell script execution reg tweak.
 
Last edited:
  • Like
  • Thanks
Reactions: oldschool, Parsh, KonradPL and 22 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
In Windows XP and Vista, only PowerShell 1 and 2 can be installed.
In Windows 7+, PowerShell 2.0 is the built-in system component, and can be updated to version 5.1.
In Windows 8, PowerShell 3.0 is the built-in system component, and cannot be updated to version 5.0.
In Windows 8.1, PowerShell 4.0 is the built-in system component.
In Windows 10, PowerShell 5.0+ is the built-in system component.
.
Post edited.
 
Last edited:
  • Like
Reactions: KonradPL, Prorootect, shmu26 and 6 others
askmark

askmark

Level 12
Verified
Top Poster
Well-known
Aug 31, 2016
578
brod56 said:
Thanks for the guide.
Voodoshield auto blocks Powershell activity (even from the user!) so no need to tweak the registry for me :)
Click to expand...
Voodooshield protects all of Windows' vulnerable processes, even those that have yet to be exploited :)

@Andy Ful
Thanks for the guide. Always handy to know how to do these tweaks manually when you don't have third party software to back you up :)
 
  • Like
Reactions: Prorootect, Marko :), _CyberGhosT_ and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
brod56 said:
Thanks for the guide.
Voodoshield auto blocks Powershell activity (even from the user!) so no need to tweak the registry for me :)
Click to expand...
Yes, Voodooshield works quite well with vulnerable powershell.:)
It blocked even the bypass trick:
powershell.exe "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\z\Helloworld.ps1'"

But, it is not ideal - it did not block:
powersh.exe "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\z\Helloworld.ps1'"

where 'powersh.exe' is 'powershell.exe' with changed name.:( I also noticed serious loopholes in Windows Script Host security in Autopilot mode (but this is not the right place to discuss it, and they are not present in other modes).

I can say that VoodooShield script blocking is still better, than in many antivirus programs.:)
The mentioned loopholes are not common in malware attacks. The Autopilot mode is OK for home users.
 
Last edited:
  • Like
Reactions: Parsh, oldschool, Prorootect and 8 others
5

509322

1. Block *.ps1 and other script types by default in User Space
2. Run powershell.exe with restricted privileges
3. Scripts will inherit restricted privileges from restricted interpreters - even in System Space
4. Block the loading of *.dlls from User Space
5. Block the launch of *.exe from User Space
6. Disable macros
7. Whitelist only scripts that have been audited
8. If you want to get crazy you can audit scripts, sign them, and play with powershell language modes, and set restrictive policies

PowerShell can be run from a *.dll or *.exe, even if powershell.exe and powershell_ise.exe are disabled.

PowerShell can be launched via macros\scripts.

PowerShell should not be shipped with\enabled by default on Home versions of Windows - that's just my personal opinion.
 
  • Like
Reactions: Parsh, Prorootect, Winter Soldier and 4 others
_CyberGhosT_

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
brod56 said:
Thanks for the guide.
Voodoshield auto blocks Powershell activity (even from the user!) so no need to tweak the registry for me :)
Click to expand...
Very good, and I take that one step further, just to be sure, here take a peek :)
Pshell_SS.png

That's from my "Disallowed list" from Lasso.
It's blocked from internet access as well, just in case it does start ;)
No registery tweaks here either :)
 
  • Like
Reactions: oldschool, Prorootect, scot and 9 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
Lockdown said:
To rename powershell.exe to powersh.exe, did you have to take ownership from Trusted Installer on the version of Windows that used to test ?
Click to expand...
I simply copied the original file to another location and renamed it. The PowerShell sits in the System.Management.Automation.dll , so custom made executable can run PowerShell . Default Deny SRP can stop such custom made executables, but only 'Constrained Language' or 'No Language' mode can stop memory exploits from using System.Management.Automation.dll to run advanced PowerShell scripts.
 
  • Like
Reactions: shmu26
5

509322

Andy Ful said:
I simply copied the original file to another location and renamed it. The PowerShell sits in the System.Management.Automation.dll , so custom made executable can run PowerShell . Default Deny SRP can stop such custom made executables, but only 'Constrained Language' or 'No Language' mode can stop memory exploits from using System.Management.Automation.dll to run advanced PowerShell scripts.
Click to expand...

I don't think Constrained language mode is all that restrictive. I wouldn't rely upon it - at least not all by itself.

A lot of people don't understand that a lot of PowerShell shenanigans are post-exploit = no exploit = no worries.
 
  • Like
Reactions: _CyberGhosT_ and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
_CyberGhosT_ said:
Very good, and I take that one step further, just to be sure, here take a peek :)
View attachment 148148
That's from my "Disallowed list" from Lasso.
It's blocked from internet access as well, just in case it does start ;)
No registery tweaks here either :)
Click to expand...

I am afraid that, this cannot stop the trick:
powersh.exe "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\z\Helloworld.ps1'"

Process Lasso, Sandboxie, NVT ExeRadar Pro, etc. can monitor executables: powershell.exe and powershell_ise.exe. NVT ExeRadar Pro can also monitor executable by hash, so it can stop the above trick if powersh.exe has the same hash as powershell.exe. But mostly, they cannot stop custom made executable with an unknown name.
 
  • Like
Reactions: Prorootect, scot, _CyberGhosT_ and 2 others
5

509322

Andy Ful said:
But mostly, they cannot stop custom made executable with an unknown name.
Click to expand...

Malware can copy-paste legitimate files from System to User Space. Plus, malc0der can simply provide a copy of legitimate Windows process with their malware.

That is why it is best to just block everything from User Space that is not explicitly allowed.
 
  • Like
Reactions: Prorootect and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
Lockdown said:
I don't think Constrained language mode is all that restrictive. I wouldn't rely upon it - at least not all by itself.

A lot of people don't understand that a lot of PowerShell shenanigans are post-exploit = no exploit = no worries.
Click to expand...
Constrained language mode locks down PowerShell to the core elements (no access to: direct .NET scripting, invocation of Win32 APIs via the Add-Type cmdlet, and interaction with COM objects). This stops most exploits and exploit kits.
PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection » Active Directory Security

The 'No Language' is the most restrictive, but I do not know how to implement it without WinRM service.
 
  • Like
Reactions: oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
Lockdown said:
Malware can copy-paste legitimate files from System to User Space. Plus, malc0der can simply provide a copy of legitimate Windows process with their malware.

That is why it is best to just block everything from User Space that is not explicitly allowed.
Click to expand...

Yes, that is why we both like SRP.:)
 
  • Like
Reactions: oldschool
5

509322

Andy Ful said:
Constrained language mode locks down PowerShell to the core elements (no access to: direct .NET scripting, invocation of Win32 APIs via the Add-Type cmdlet, and interaction with COM objects). This stops most exploits and exploit kits.
The 'No Language' is the most restrictive, but I do not know how to implement it without WinRM service.
Click to expand...

Yes, but *.ps1 files can still execute that can do malicious things.

Yes, PowerShell documentation suxx !
 
  • Like
Reactions: Prorootect and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
The 'Constrained Language' mode is quite effective now, but who knows what will be tomorrow?o_O
 
  • Like
Reactions: oldschool and frogboy
tonibalas

tonibalas

Level 40
Verified
Honorary Member
Top Poster
Well-known
Sep 26, 2014
2,973
When i open my PowerShell with my standard account ( SUA ) i get this
Untitled.png
When i try to open PowerShell modules with my admin password i get this
Untitled.png
Can you tell if my PowerShell is secured?
 
  • Like
Reactions: Andy Ful and frogboy

Similar threads

S
Question How secure is KTS on DEFAULT settings?
Replies
8
Views
390
Kaspersky
Trident
Trident
Guilhermesene
    • Like
    • Applause
Hot Take [Tutorial] Update Kaspersky when starting the system automatically
Replies
9
Views
722
Kaspersky
Jonny Quest
Jonny Quest
Trooper
    • Like
    • +Reputation
NSA shares tips on securing Windows devices with PowerShell
Replies
0
Views
1,172
News Archive
Trooper
Trooper

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top