How to keep attackers from using PowerShell against you

Living off the land is not the title of a gardening book. It’s the goal of attackers going after your network. Rather than installing malicious software on your network that antivirus software might flag, attackers use the code already there to launch attacks. The tools that you use to monitor, maintain and access your network are often the same code that attackers use to attack your network. PowerShell is a prime example.

The U.S. National Security Agency (NSA), U.S. Cybersecurity and Infrastructure Security Agency (CISA), New Zealand’s NCSC, and the UK NCSC recently released a document called Keeping PowerShell: Security Measures to Use and Embrace. This guidance recommends keeping PowerShell in your network rather than blocking but offers the following advice to keep it secure.

Use PowerShell remoting only where needed

First, decide where you want to use PowerShell remoting and where you don’t want it to be functional. Too many companies do not take the time to use the technology they have to control communication. The Windows firewall can be set with Group Policy or Intune to block PowerShell remoting.

First review what access rights you have set by using the following command: Get-PSSessionConfiguration | Format-Table -Property Name, Permission

You can disable PowerShell remoting by using the following command: Disable-PSRemoting -Force

If you enable PowerShell remoting through Enable-PSRemoting, it automatically opens port 5895 in Windows Firewall. To disable the firewall exceptions, use the Windows Firewall with Advanced Security MMC snap-in (type “firewall” in the Start menu) and search for “Windows Remote Management (HTTP-In) rules”. There is one rule for the network profile domain (private) and one for public. Select “Inbound Rules”, then right-click on each rule and select “Disable”. You may also wish to set this rule to ensure that attackers can’t silently enable it. You can also enable “Firewall auditing” so that you are alerted when a firewall rule changes from the values you have set.  

Use antivirus software with Antimalware Scan Interface

Review what antivirus you are using and if your antivirus is using the Windows Antimalware Scan Interface (AMSI) integration. This supports scanning of in-memory and dynamic file contents and is supported by AMSI-aware antivirus products such as Windows Defender, McAfee and Symantec. I recommend investigating if you can justify the licensing of Defender for Endpoint. This enhanced endpoint security platform allows you to prevent, detect, investigate and respond to advanced threats.

Use AppLocker or WDAC

Review if you can license and deploy AppLocker or Windows Defender Application Control (WDAC) to better protect you. Enabling AppLocker script enforcement blocks PowerShell commands in a script but still allows the commands interactively into the PowerShell command console. It’s recommended to configure AppLocker or WDAC to block actions on a Windows host. This causes PowerShell to operate in a Constrained Language mode.

To determine what language mode PowerShell is using, enter the following command: $ExecutionContext.SessionState.LanguageMode

If it’s set for full language, you can decide to enable constrained delegation instead. Enter the following command:

$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

This stays in effect only for the current session. To maintain ConstrainedLanguage, use something like Device Guard User Mode Code Integrity to maintain the session settings.

Enable logging for PowerShell

Logging not in both the operating system and for PowerShell helps ensure that you can review your systems for malicious activity. Enable logging and deep scriptblock logging, module logging, and over-the-shoulder transcription. The relevant Group Policy object (GPO) setting is called “Turn on PowerShell Script Block Logging”. To find it, make these selections in order:

1. “Policies”
2. “Administrative Templates”
3. “Windows Components”
4. “Windows PowerShell”

The logging takes place in the application log, which you find with this selection process:

1. “Microsoft”
2. “Windows”
3. “PowerShell”
4. “Operational”

The commands are recorded under event ID 4104. If you also record start and stop events, these will appear under the IDs 4105 and 4106. Even if you have Windows 7 machines, you can install PowerShell 5, which enables the additional logging.

Secure remote connections

Most networks have mixtures of Windows and other platforms. Having secure remote connections helps to ensure that you keep secure between both Windows and Linux servers. PowerShell 7 allows remote connections over SSH (Secure Shell), which allows for public key authentication. To enable OpenSSH on Windows systems, run the following commands from an elevated console session:

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

To enable the SSH server service to start automatically, set the following service:

Set-Service -Name sshd -StartupType 'Automatic'

Start-Service -Name sshd

Finally, use the remoting tools to simplify configuring SSH based remoting. The following commands will install the module from the PowerShell Gallery.

Install-Module -Name Microsoft.PowerShell.RemotingTools   

Import-Module -Name Microsoft.PowerShell.RemotingTools

On a sample Ubuntu workstation, open a terminal session and install OpenSSH:

sudo apt install openssh-client

sudo apt install openssh-server

Next, start an elevated pwsh session and install RemotingTools module and run the Enable-SSHRemoting command:

Install-Module -Name Microsoft.PowerShell.RemotingTools

Enable-SSHRemoting -Verbose

sudo service ssh restart

Standardize on PowerShell 7

One key recommendation is to upgrade PowerShell. Newer PowerShell versions offer more logging and security enhancements. It’s recommended to disable and uninstall the deprecated PowerShell Version 2,0) on Windows 10 and other versions. You should also review the use of older Windows operating systems and their impact on the risk of your network.

If you standardize on Windows 10 or Windows 11 and PowerShell 7, you can use AMSI, Constrained Language mode, Constrained Language mode with Applocker and WDAC, deep script block logging, over-the-shoulder transcription logging, module logging, and SSH remoting. The most recent release of PowerShell is version 7.2.5. A preview release of 7.3.0 was released on June 22, 2022. Once you standardize on PowerShell 7 you can then remove or disable PowerShell 2 to better secure your network. In a console window execute the following command: 

Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root

This command disables PowerShell 2.0 immediately. To reenable PowerShell 2.0, replace disable with enable:

Enable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root

You can also disable PowerShell 2.0 in the Windows features options.