{"id":47223,"date":"2022-06-23T10:14:43","date_gmt":"2022-06-23T10:14:43","guid":{"rendered":"http:\/\/d02e3953-7fe7-4115-9ab6-0ea746ef0563"},"modified":"2022-06-23T10:14:43","modified_gmt":"2022-06-23T10:14:43","slug":"nsa-cisa-say-dont-block-powershell-heres-what-to-do-instead","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/nsa-cisa-say-dont-block-powershell-heres-what-to-do-instead\/","title":{"rendered":"NSA, CISA say: Don’t block PowerShell, here’s what to do instead"},"content":{"rendered":"
\n
\n
\"Worried<\/picture><\/div>\n

<\/div>\n

Image: Getty Images\/iStockphoto<\/span><\/figcaption><\/figure>\n

Cybersecurity authorities from the US, the UK, and New Zealand<\/a> have advised businesses and government agencies to properly configure Microsoft’s built-in Windows command-line tool, PowerShell \u2013 but not to remove it.    <\/p>\n

Defenders shouldn’t disable PowerShell, a scripting language, because it is a useful command-line interface for Windows that can help with forensics, incident response and automating desktop tasks<\/a>, according to joint advice<\/a> from the US spy service the National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), and the New Zealand and UK national cybersecurity centres. <\/p>\n

It also lets admins automate security tasks on Microsoft’s Azure cloud platform. Users can, for example, write PowerShell commands to manage Microsoft’s Defender antivirus on Windows 10 and Windows 11.<\/p>\n

SEE: Cloud computing dominates. But security is now the biggest challenge<\/a><\/strong><\/p>\n

But PowerShell’s flexibility has also made it amenable<\/a> to attackers who’ve used it<\/a> to remotely compromise Windows devices<\/a> and even Linux systems. <\/p>\n

So, what should defenders do? Remove PowerShell? Block it? Or just configure it? <\/p>\n

“Cybersecurity authorities from the United States, New Zealand, and the United Kingdom recommend proper configuration and monitoring of PowerShell, as opposed to removing or disabling PowerShell entirely,” the agencies say<\/a>.<\/p>\n

“This will provide benefits from the security capabilities PowerShell can enable while reducing the likelihood of malicious actors using it undetected after gaining access into victim networks.”<\/p>\n

PowerShell’s extensibility, and the fact that it ships with Windows 10 and 11, gives attackers a means to abuse the tool. This typically happens after an attacker has gained access to a victim’s network through Windows or other software vulnerabilities. <\/p>\n

But PowerShell attacks have caused some admins to remove it from devices and this is a bad idea, according to the NSA.  <\/p>\n

“This has prompted some net defenders to disable or remove the Windows tool. NSA and its partners advise against doing so,” the NSA said<\/a>. <\/p>\n

As the US Department of Defense notes<\/a>, blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide, and prevents components of Windows from running properly.<\/p>\n

The advice aligns with Microsoft’s guidance on the use of PowerShell and tips it’s given to admins to protect themselves against PowerShell attacks. Microsoft in 2020 acknowledged that “PowerShell is being used by both commodity malware and attackers alike”. <\/p>\n

“PowerShell is \u2013 by far \u2013 the most securable and security-transparent shell, scripting language, or programming language available,” Microsoft said in a 2020 blogpost<\/a>. <\/p>\n

New Zealand National Cyber Security Centre sums up the benefits of using PowerShell: <\/p>\n