Intel Insights: How to Secure PowerShell
The MS-ISAC observes specific malware variants consistently reaching the Top 10 Malware list. These specific malware variants have traits allowing them to be highly effective against State, Local, Tribal, and Territorial (SLTT) government networks, consistently infecting more systems than other types of malware. An examination of the characteristics of these malware variants revealed that the variants often abuse legitimate tools or parts of applications on a system or network. One such legitimate tool is PowerShell.
Understanding the Threat Surface
PowerShell is a task-based command-line shell or user interface serving as Microsoft’s configuration management framework. This interface allows for task automation that manages operating systems and processes. Cyber threat actors (CTAs) often leverage PowerShell once they gain access to a system. CTAs use PowerShell because it is a legitimate administrative tool that allows them access to the command line, gaining access to stored data as well as access to both local and remote systems across the network. This access allows them to hide malicious commands and run them across the network or locally, as if they were put in place by the system administrator, helping it evade security scans. For example, Kovter, a fileless click fraud malware, hides its malicious modules entirely in the registry. These modules are then injected into the PowerShell process when the infected system restarts, prompting the click fraud process to begin.
In most cases, standard users do not require PowerShell to perform their everyday functions. Only network administrators and IT professionals that need PowerShell for legitimate work tasks should have access. Giving standard users access to PowerShell creates unnecessary risk for your organization.
If PowerShell is not needed, prevent its execution on systems after performing appropriate testing to assess the impact to the environment. This may not always be possible since this is a legitimate tool and has administrative functions. Restrict PowerShell in these cases through execution policy to administrators and execute signed scripts only. Depending on environmental configurations there may be ways to bypass the execution policy. Lastly, to prevent the use of PowerShell for remote execution disable, or at the very least restrict, Windows Remote Management Service.
To Secure PowerShell
You can use the Turn on Script Execution Group Policy setting to manage the execution policy of computers in your organization. The Group Policy setting overrides the execution policies set in PowerShell in all scopes. Policies set in the Computer Configuration node take precedence over policies set in the User Configuration node. For more information please visit Microsoft.
To Turn on Script Execution in Group Policy settings
- Click Start Menu > Control Panel > System and Security > Administrative Tools.
- Create or Edit Group Policy Objects > Windows PowerShell > Turn on Script Execution.
The Turn on Script Execution policy settings are as follows:
- If you disable Turn on Script Execution, scripts do not run and PowerShell is disabled.
- If you enable Turn on Script Execution, you can select the execution policy Allow only signed scripts, allowing only trusted digitally-signed scripts to be run.
The PowerShellExecutionPolicy.adm and PowerShellExecutionPolicy.admx files add the Turn on Script Execution policy to the Computer Configuration and User Configuration nodes in Group Policy Editor in the following paths:
- For Windows XP and Windows Server 2003:
- Administrative Templates\Windows Components\Windows PowerShell
- For Windows Vista and later versions of Windows:
- Administrative Templates\Classic Administrative Templates
- Windows Components\Windows PowerShell
The MS-ISAC is the focal point for cyber threat prevention, protection, response, and recovery for the nation’s state, local, tribal, and territorial (SLTT) governments. More information about this topic, as well as 24x7 cybersecurity assistance is available at 866-787-4722, SOC@cisecurity.org. The MS-ISAC is interested in your comments - an anonymous feedback survey is available.