PowerShell Task Automation Platform, which is often abused by threat actors distributing malware (opens in new tab), can also be used for attack detection and prevention. This is the advice the US National Security Agency (NSA) recently gave to system administrators everywhere.
Together with cybersecurity centers in the UK and New Zealand, the NSA has published a security advisory in which it argues that blocking PowerShell, a common security practice, actually reduces organizations’ defensive capabilities against ransomware. (opens in new tab) and other forms of cyber attacks.
Instead, system administrators should use it to increase their forensic and incident response, as well as to automate as many repetitive tasks as possible.
“Locking PowerShell hampers the defensive capabilities that current versions of PowerShell can provide and prevents Windows OS components from running properly. Recent versions of PowerShell with improved features and options can help advocates fight PowerShell abuse,” the NSA said.
The advisory comes with several recommendations, including leveraging PowerShell remoting or using the Secure Shell (SSH) protocol to improve the security of public key authentication.
“Properly configuring WDAC or AppLocker on Windows 10+ helps prevent a malicious actor from gaining full control over a PowerShell session and the host,” the document explains.
System administrators can also look for signs of abuse on their endpoints (opens in new tab) recording PowerShell activity and monitoring logs.
The advisory also recommends that administrators enable features such as Deep Script Block Logging, Module Logging, or Over-The-Shoulder Transcription, as the former create a log database, useful for detecting aggressive PowerShell activity.
The latter allows administrators to log all PowerShell inputs and outputs, gaining a better understanding of attackers’ goals.
“PowerShell is essential for securing the Windows operating system,” the NSA concluded, adding that, with proper configuration and management, it can be a great tool for system maintenance and security.