Defending Against PowerShell Attacks

The security industry is ablaze with news about how PowerShell is being used by both commodity malware and attackers alike. Surely there’s got to be a way to defend yourself against these attacks!

There absolutely is. PowerShell is – by far – the most securable and security-transparent shell, scripting language, or programming language available.

Our recommendations are:

  1. Deploy PowerShell v5, built into Windows 10. Alternatively, you can deploy the Windows Management Framework, available down to and including Windows 7 / Windows Server 2008r2.
  2. Enable, and collect PowerShell logs, optionally including Protected Event Logging. Incorporate these logs into your signatures, hunting, and incident response workflows.
  3. Implement Just Enough Administration on high-value systems to eliminate or reduce unconstrained administrative access to those systems.
  4. Deploy Device Guard / Application Control policies to allow pre-approved administrative tasks to use the full capability of the PowerShell language, while limiting interactive and unapproved use to a limited subset of the PowerShell language.
  5. Deploy Windows 10 to give your antivirus provider full access to all content (including content generated or de-obfuscated at runtime) processed by Windows Scripting Hosts including PowerShell.

For further information about these steps and solutions, please see the much more detailed presentation: “Defending Against PowerShell Attacks“.

You can also download the slide deck used for this video: Defending-Against-PowerShell-Attacks.

For further details about PowerShell’s Security features, please see our post: PowerShell ♥ the Blue Team.
For further details about implementing Just Enough Administration, please see http://aka.ms/jeadocs.

 

Lee Holmes [MSFT]
Lead Security Architect
Azure Management