The cybersecurity authorities from the U.S., New Zealand, and the United Kingdom have released a joint Cybersecurity Information Sheet (CIS) on PowerShell. The CIS provides recommendations for proper configuration and monitoring of PowerShell, as opposed to removing or disabling it entirely due to its use by malicious actors after gaining access into victim networks.
According to the National Security Agency, “PowerShell is a scripting language and command line tool included with Microsoft Windows that provides many features, including the ability to automate tasks, improve incident response and enable forensics efforts. However, the same extensibility, ease of use, and availability that aids net defenders also provides an opportunity for malicious cyber actors, who have often abused PowerShell after gaining access to victim networks.” The listed recommendations will help defenders detect and prevent abuse by malicious cyber actors, while enabling legitimate use by administrators and other personnel. Some recommendations include, but are not limited to, credential protection during PowerShell remoting, integrating antimalware scanning applications, and Deep Script Block Logging (DSBL) and module logging. Read the full CIS at CISA.