The security industry is ablaze with news about how PowerShell is being used by both commodity malware and attackers alike. Surely there’s got to be a way to defend yourself against these attacks!
There absolutely is. PowerShell is – by far – the most securable and security-transparent shell, scripting language, or programming language available.
Our recommendations are:
- Deploy PowerShell v5, built into Windows 10. Alternatively, you can deploy the Windows Management Framework, available down to and including Windows 7 / Windows Server 2008r2.
- Enable, and collect PowerShell logs, optionally including Protected Event Logging. Incorporate these logs into your signatures, hunting, and incident response workflows.
- Implement Just Enough Administration on high-value systems to eliminate or reduce unconstrained administrative access to those systems.
- Deploy Device Guard / Application Control policies to allow pre-approved administrative tasks to use the full capability of the PowerShell language, while limiting interactive and unapproved use to a limited subset of the PowerShell language.
- Deploy Windows 10 to give your antivirus provider full access to all content (including content generated or de-obfuscated at runtime) processed by Windows Scripting Hosts including PowerShell.
For further information about these steps and solutions, please see the much more detailed presentation: “Defending Against PowerShell Attacks“.
You can also download the slide deck used for this video: Defending-Against-PowerShell-Attacks.
For further details about PowerShell’s Security features, please see our post: PowerShell ♥ the Blue Team.
For further details about implementing Just Enough Administration, please see http://aka.ms/jeadocs.
Lee Holmes [MSFT]
Lead Security Architect
Azure Management
Unfortunately most of these tools only work on Win 10 Enterprise.
A large number of small and medium businesses (SMB) and one to five PC’s owners cannot afford Enterprise for every PC.
And because of a lack of IT help or limited IT cannot or will not implement any of these security tools.
And these users are the most vulnerable.
They do not have an Active Directory (AD) or a full network setup. Mostly standalone PC’s and laptops.
As Jeffrey Snover says over and over again, make everything friction-less if you want something to succeed.
Hi.
The people whom you mentioned are at equal (no less, no more) risk as that of an ordinary executable file. (The traditional form of malware.) If anything, they are at less risk because circumventing machine-wide execution policy is just another step that the malicious person must take.
For them, the solution is very simple: Don’t download alien code from untrustworthy sources and do not lower the User Account Control settings.
Still, it wouldn’t be bad if Microsoft implemented a mean of disabling per-session execution policies. It is a cheap way to ease people who numbed by fear after reading a poor article written by a noisy journalist.
==>
As Jeffrey Snover says over and over again, make everything friction-less if you want something to succeed.
<==
that is what got us into GUI's
that is what has overloaded the IT space with wannabes
that is what has allowed the third parties to proliferate in teaching IT bad practice
A bit of friction is what is needed to make people think.
Nice one!
More information can be found here:
https://blogs.msdn.microsoft.com/daviddasneves/2017/05/25/powershell-security-at-enterprise-customers/
which contains even more links for more detailed information.
David
For a link list of related articles, papers, and videos see here: http://aka.ms/pssec The linked MVA videos for PSv5 include demos by Lee Holmes and Ryan Puffer regarding the topics above. The full link of the short link is: https://blogs.technet.microsoft.com/ashleymcglone/2016/06/29/whos-afraid-of-powershell-security/