• United States



Contributing Writer

How to keep attackers from using PowerShell against you

Jul 06, 20225 mins
Network SecurityWindows Security

New guidance shows how to harden PowerShell and make it more difficult for threat actors to hijack for malicious purposes.

network security / network traffic scanning
Credit: HYWARDS / Getty Images

Living off the land is not the title of a gardening book. It’s the goal of attackers going after your network. Rather than installing malicious software on your network that antivirus software might flag, attackers use the code already there to launch attacks. The tools that you use to monitor, maintain and access your network are often the same code that attackers use to attack your network. PowerShell is a prime example.

The U.S. National Security Agency (NSA), U.S. Cybersecurity and Infrastructure Security Agency (CISA), New Zealand’s NCSC, and the UK NCSC recently released a document called Keeping PowerShell: Security Measures to Use and Embrace. This guidance recommends keeping PowerShell in your network rather than blocking but offers the following advice to keep it secure.

Use PowerShell remoting only where needed

First, decide where you want to use PowerShell remoting and where you don’t want it to be functional. Too many companies do not take the time to use the technology they have to control communication. The Windows firewall can be set with Group Policy or Intune to block PowerShell remoting.

First review what access rights you have set by using the following command: Get-PSSessionConfiguration | Format-Table -Property Name, Permission

You can disable PowerShell remoting by using the following command: Disable-PSRemoting -Force

If you enable PowerShell remoting through Enable-PSRemoting, it automatically opens port 5895 in Windows Firewall. To disable the firewall exceptions, use the Windows Firewall with Advanced Security MMC snap-in (type “firewall” in the Start menu) and search for “Windows Remote Management (HTTP-In) rules”. There is one rule for the network profile domain (private) and one for public. Select “Inbound Rules”, then right-click on each rule and select “Disable”. You may also wish to set this rule to ensure that attackers can’t silently enable it. You can also enable “Firewall auditing” so that you are alerted when a firewall rule changes from the values you have set.  

Use antivirus software with Antimalware Scan Interface

Review what antivirus you are using and if your antivirus is using the Windows Antimalware Scan Interface (AMSI) integration. This supports scanning of in-memory and dynamic file contents and is supported by AMSI-aware antivirus products such as Windows Defender, McAfee and Symantec. I recommend investigating if you can justify the licensing of Defender for Endpoint. This enhanced endpoint security platform allows you to prevent, detect, investigate and respond to advanced threats.

Use AppLocker or WDAC

Review if you can license and deploy AppLocker or Windows Defender Application Control (WDAC) to better protect you. Enabling AppLocker script enforcement blocks PowerShell commands in a script but still allows the commands interactively into the PowerShell command console. It’s recommended to configure AppLocker or WDAC to block actions on a Windows host. This causes PowerShell to operate in a Constrained Language mode.

To determine what language mode PowerShell is using, enter the following command: $ExecutionContext.SessionState.LanguageMode

If it’s set for full language, you can decide to enable constrained delegation instead. Enter the following command:

$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

This stays in effect only for the current session. To maintain ConstrainedLanguage, use something like Device Guard User Mode Code Integrity to maintain the session settings.

Enable logging for PowerShell

Logging not in both the operating system and for PowerShell helps ensure that you can review your systems for malicious activity. Enable logging and deep scriptblock logging, module logging, and over-the-shoulder transcription. The relevant Group Policy object (GPO) setting is called “Turn on PowerShell Script Block Logging”. To find it, make these selections in order:

  1. “Policies”
  2. “Administrative Templates”
  3. “Windows Components”
  4. “Windows PowerShell”

The logging takes place in the application log, which you find with this selection process:

  1. “Microsoft”
  2. “Windows”
  3. “PowerShell”
  4. “Operational”

The commands are recorded under event ID 4104. If you also record start and stop events, these will appear under the IDs 4105 and 4106. Even if you have Windows 7 machines, you can install PowerShell 5, which enables the additional logging.

Secure remote connections

Most networks have mixtures of Windows and other platforms. Having secure remote connections helps to ensure that you keep secure between both Windows and Linux servers. PowerShell 7 allows remote connections over SSH (Secure Shell), which allows for public key authentication. To enable OpenSSH on Windows systems, run the following commands from an elevated console session:

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~

To enable the SSH server service to start automatically, set the following service:

Set-Service -Name sshd -StartupType 'Automatic'

Start-Service -Name sshd

Finally, use the remoting tools to simplify configuring SSH based remoting. The following commands will install the module from the PowerShell Gallery.

Install-Module -Name Microsoft.PowerShell.RemotingTools   

Import-Module -Name Microsoft.PowerShell.RemotingTools

On a sample Ubuntu workstation, open a terminal session and install OpenSSH:

sudo apt install openssh-client

sudo apt install openssh-server

Next, start an elevated pwsh session and install RemotingTools module and run the Enable-SSHRemoting command:

Install-Module -Name Microsoft.PowerShell.RemotingTools

Enable-SSHRemoting -Verbose

sudo service ssh restart

Standardize on PowerShell 7

One key recommendation is to upgrade PowerShell. Newer PowerShell versions offer more logging and security enhancements. It’s recommended to disable and uninstall the deprecated PowerShell Version 2,0) on Windows 10 and other versions. You should also review the use of older Windows operating systems and their impact on the risk of your network.

If you standardize on Windows 10 or Windows 11 and PowerShell 7, you can use AMSI, Constrained Language mode, Constrained Language mode with Applocker and WDAC, deep script block logging, over-the-shoulder transcription logging, module logging, and SSH remoting. The most recent release of PowerShell is version 7.2.5. A preview release of 7.3.0 was released on June 22, 2022. Once you standardize on PowerShell 7 you can then remove or disable PowerShell 2 to better secure your network. In a console window execute the following command: 

Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root

This command disables PowerShell 2.0 immediately. To reenable PowerShell 2.0, replace disable with enable:

Enable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root

You can also disable PowerShell 2.0 in the Windows features options.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author