US, UK, New Zealand argue against disabling PowerShell

US cybersecurity agencies – alongside the New Zealand and UK National Cybersecurity Centres – said security officials should not disable or remove Microsoft’s PowerShell tool, which is typically used for automating the management of systems but is often abused by hackers.

The agencies released an 8-page document with recommendations for how defenders can properly configure and monitor PowerShell as opposed to removing or disabling it entirely. 

PowerShell is a popular scripting language and command line tool included with Microsoft Windows and Azure that provides many features, including the ability to automate tasks, improve incident response and enable forensics efforts.

But it has been used extensively by hackers and ransomware groups as a post-exploitation tool, according to the National Security Agency (NSA).

The Cybersecurity and Infrastructure Security Agency (CISA) said the recommendations are designed to help defenders “detect and prevent abuse by malicious cyber actors, while enabling legitimate use by administrators and defenders.”

The NSA said abuse of the tool has caused some security teams to outright remove it. The security agency argued that the latest version of it offers “improved defensive capabilities, including ways to counter PowerShell abuse.”

“PowerShell is essential to secure the Windows operating system, especially since newer versions have resolved previous limitations and concerns through updates and enhancements,” the NSA explained. 

“Removing or improperly restricting PowerShell would prevent administrators and defenders from utilizing PowerShell to assist with system maintenance, forensics, automation, and security. PowerShell, along with its administrative abilities and security measures, should be managed properly and adopted.”

Several security experts said the NSA and other cybersecurity agencies were being pragmatic in their assessment, acknowledging that it is a ubiquitous tool Windows administrators leverage on a regular basis for configuring systems. 

CardinalOps’ Phil Neray said PowerShell is one of the most commonly-used attack techniques and has been used in MetaSploit, Trickbot, and Emotet attacks as well as by nation-state actors such as HAFNIUM and the Lazarus Group. 

He noted that the MITRE ATT&CK framework has a dedicated technique for PowerShell that can be implemented.

John Bambenek, principal threat hunter at Netenrich, added that it’s “simply unrealistic to manage a large environment without it, so it’s important to implement these security restrictions to prevent its misuse.”

“Almost every advanced attack (ransomware, APT, general crime) uses PowerShell in the chain of attack,” Bambenek said. 

“PowerShell is used for the same reason administrators use it…it’s powerful and versatile to enable administration of large numbers of machines.”

Vectra AI CTO Oliver Tavakoli told The Record that any defender disabling PowerShell entirely is “throwing out the baby with the bathwater” and should instead deploy controls to prevent obviously malicious use.

Jonathan Greig

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Recent Posts

Chinese cyber agency signals support for tech industry

CAC officials set a conciliatory tone towards tech Friday, but are still supervising rides-hailing giant’s…

2 hours ago

Apple releases emergency patch for two iPhone, Mac zero-day vulnerabilities being exploited

Apple said hackers are actively exploiting two zero-day vulnerabilities in iPhones, iPads and Macs. In…

2 hours ago

Google says it stopped the largest DDoS attack ever recorded in June

One of Google’s customers was targeted with the largest distributed denial of service (DDoS) attack…

3 hours ago

European Commission’s Despina Spanou on why cyber officials must ‘learn lessons from crises’

When it comes to privacy and cybersecurity regulations, the European Union often sets the standards…

4 hours ago

Cyber insurers weigh in on latest cybersecurity trends, threats

The numbers speak for themselves: more companies are opting in for cyber insurance coverage than…

1 day ago

TikTok asks House of Representatives to rescind cyber advisory about company

Short-form video giant TikTok refuted claims made by the Chief Administrative Officer (CAO) of the…

1 day ago