Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AppDefects
Community Champion
‎01-28-2020 11:23 PM
‎01-28-2020 11:23 PM

PowerShell (In)Security

Does your organization allow users to run PowerShell on Microsoft Windows? 

 

  1. Yes
  2. No
  3. Are you kidding? We use Mac's!

Why do I ask? State Actors use the scripting language heavily in cyberattacks. One example is with the Petya/NotPetya campaigns. The problem is that PowerShell has native integration with .NET Framework which offers:

 

  • Simple access to network sockets
  • Easy access to crypto libraries
  • Ability to hook managed code
  • Ability to assemble malicious binaries dynamically in memory
  • Direct access to the Win32 Application Programming Interface
  • Simple interface with Windows Management Instrumentation
  • Dynamic, runtime method calls

The most effective way (according to Microsoft) to block PowerShell is to block the System.Management.Automation.dll, which is the library that PowerShell heavily relies on. For more on the risks check out an article here and a video here.

Labels
Reply
1 Reply
jmarshall1956
Newcomer I
‎01-30-2020 03:47 PM
‎01-30-2020 03:47 PM

Is it a problem if the User does not have Admin level privilege on the machine?

 

It seems with most everything MS moving to PowerShell it is viable to block it? We do not specifically block it anywhere that I am aware of.

Jim M
Reply
0 Kudos