NSA shares tips on securing Windows devices with PowerShell

Trooper

Trooper

Level 17
Thread author
Verified
Top Poster
Well-known
Aug 28, 2015
801
Content source
https://www.bleepingcomputer.com/news/security/nsa-shares-tips-on-securing-windows-devices-with-powershell/
The National Security Agency (NSA) and cybersecurity partner agencies issued an advisory today recommending system administrators to use PowerShell to prevent and detect malicious activity on Windows machines.

PowerShell is frequently used in cyberattacks, leveraged mostly in the post-exploitation stage, but the security capabilities embedded in Microsoft’s automation and configuration tool can also benefit defenders in their forensics efforts, improve incident response, and to automate repetitive tasks.

The NSA and cyber security centres in the U.S. (CISA), New Zealand (NZ NCSC), and the U.K. (NCSC-UK) have created a set of recommendations for using PowerShell to mitigate cyber threats instead of removing or disabling it, which would lower defensive capabilities.
Click to expand...

Lower risk for abuse​

Reducing the risk of threat actors abusing PowerShell requires leveraging capabilities in the framework such as PowerShell remoting, which does not expose plain-text credentials when executing commands remotely on Windows hosts.

Administrators should be aware that enabling this feature on private networks automatically adds a new rule in Windows Firewall that permits all connections.

Customizing Windows Firewall to allow connections only from trusted endpoints and networks helps reduce an attacker’s chance for successful lateral movement.

For remote connections, the agencies advise using the Secure Shell protocol (SSH), supported in PowerShell 7, to add the convenience and security of public-key authentication:

  • remote connections don’t need HTTPS with SSL certificates
  • no need for Trusted Hosts, as required when remoting over WinRM outside a domain
  • secure remote management over SSH without a password for all commands and connections
  • PowerShell remoting between Windows and Linux hosts
Another recommendation is to reduce PowerShell operations with the help of AppLocker or Windows Defender Application Control (WDAC) to set the tool to function in Constrained Language Mode (CLM), thus denying operations outside the policies defined by the administrator.
Click to expand...
 
  • Like
  • +Reputation
Reactions: simmerskool, Mercenary, silversurfer and 9 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • +Reputation
    • Like
    • Thanks
Malware News Ransomware gang targets IT workers with new SharpRhino malware
Replies
0
Views
2,233
Security News
Gandalf_The_Grey
Gandalf_The_Grey
[correlate]
    • +Reputation
    • Applause
    • Hundred Points
U.S. Agencies and Allies Partner to Identify Russian Snake Malware Infrastructure Worldwide
Replies
1
Views
1,373
News Archive
LASER_oneXM
LASER_oneXM
Gandalf_The_Grey
    • Like
    • Hundred Points
Malware News Malware September 2024: Formbook on Windows devices
Replies
0
Views
796
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top