Cyber Security Information Sheet: Keeping PowerShell - security measures to use and embrace
This information sheet was produced jointly by New Zealand’s National Cyber Security Centre, the United States of America’s Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), and the United Kingdom’s National Cyber Security Centre (NCSC-UK).
This sheet recommends proper configuration and monitoring of PowerShell, as opposed to removing or disabling PowerShell entirely. Following this recommendation will help defenders detect and prevent abuse by malicious cyber actors, while enabling legitimate use by administrators and defenders.
PowerShell methods to reduce abuse
Built-in Windows security features available in PowerShell can reduce abuse by cyber actors. The cyber security authorities recommend using these capabilities where feasible:
- Credential protection during PowerShell remoting
- Network protection of PowerShell remoting
- Anti-malware Scan Interface (AMSI) integration
- Constrained PowerShell with Application Control
PowerShell methods to detect abuse
Logging of PowerShell activities can record when cyber threats leverage PowerShell, and continuous monitoring of PowerShell logs can detect and alert on potential abuses. The authors recommend enabling these capabilities where feasible:
- Deep Script Block Logging (DSBL) and module logging
- Over-the-Shoulder (OTS) transcription
The full information sheet provides further details on these capabilities and methods, as well as describing PowerShell procedures to provide authentication and providing a PowerShell feature compatibility table for versions of Windows and Linux.