US, UK, New Zealand argue against disabling PowerShell

US cybersecurity agencies – alongside the New Zealand and UK National Cybersecurity Centres – said security officials should not disable or remove Microsoft’s PowerShell tool, which is typically used for automating the management of systems but is often abused by hackers.

The agencies released an 8-page document with recommendations for how defenders can properly configure and monitor PowerShell as opposed to removing or disabling it entirely. 

PowerShell is a popular scripting language and command line tool included with Microsoft Windows and Azure that provides many features, including the ability to automate tasks, improve incident response and enable forensics efforts.

But it has been used extensively by hackers and ransomware groups as a post-exploitation tool, according to the National Security Agency (NSA).

The Cybersecurity and Infrastructure Security Agency (CISA) said the recommendations are designed to help defenders “detect and prevent abuse by malicious cyber actors, while enabling legitimate use by administrators and defenders.”

PowerShell is a useful tool, but it can be vulnerable to breaches without proper configuration & monitoring. Check out this guidance produced with our teammates @NSACyber, @NCSC, & National Cyber Security Centre for info on how to safely use it: https://t.co/a79Sc9TlLw pic.twitter.com/WeZoSDziAM

— Jen Easterly (@CISAJen) June 22, 2022

The NSA said abuse of the tool has caused some security teams to outright remove it. The security agency argued that the latest version of it offers “improved defensive capabilities, including ways to counter PowerShell abuse.”

“PowerShell is essential to secure the Windows operating system, especially since newer versions have resolved previous limitations and concerns through updates and enhancements," the NSA explained. 

“Removing or improperly restricting PowerShell would prevent administrators and defenders from utilizing PowerShell to assist with system maintenance, forensics, automation, and security. PowerShell, along with its administrative abilities and security measures, should be managed properly and adopted.”

Several security experts said the NSA and other cybersecurity agencies were being pragmatic in their assessment, acknowledging that it is a ubiquitous tool Windows administrators leverage on a regular basis for configuring systems. 

CardinalOps’ Phil Neray said PowerShell is one of the most commonly-used attack techniques and has been used in MetaSploit, Trickbot, and Emotet attacks as well as by nation-state actors such as HAFNIUM and the Lazarus Group. 

He noted that the MITRE ATT&CK framework has a dedicated technique for PowerShell that can be implemented.

John Bambenek, principal threat hunter at Netenrich, added that it's “simply unrealistic to manage a large environment without it, so it’s important to implement these security restrictions to prevent its misuse.”

“Almost every advanced attack (ransomware, APT, general crime) uses PowerShell in the chain of attack,” Bambenek said. 

“PowerShell is used for the same reason administrators use it…it's powerful and versatile to enable administration of large numbers of machines.”

Vectra AI CTO Oliver Tavakoli told The Record that any defender disabling PowerShell entirely is “throwing out the baby with the bathwater” and should instead deploy controls to prevent obviously malicious use.