Researchers opposed the removal of Microsoft PowerShell

image

The cybersecurity agencies of the United States, New Zealand and the United Kingdom have urged cybersecurity officers not to disable or remove the Microsoft PowerShell tool, which is used to automate system management, but is often used by hackers. Agencies have issued recommendations for proper configuration and control of PowerShell .

According to the CISA agency , the recommendations will help specialists “to identify and prevent abuse by intruders, as well as to ensure legitimate use by administrators and defenders.”

The NSA said that the abuse of PowerShell forced some security services to completely remove it. “Removing or disabling PowerShell will prevent administrators from using the tool to help with system maintenance, forensics, automation, and security. PowerShell, along with its administrative capabilities and security measures, must be properly managed.”

According to Phil Nereus, a researcher at CardinalOps, PowerShell is a popular method of attack. The shell has already been used in MetaSploit , Trickbot and Emotet campaigns, as well as in attacks by government groups ( HAFNIUM and Lazarus Group ). Nereus also noted that the MITRE ATT&CK platform has a special PowerShell usage technique that can be implemented.

“It is impossible to manage a large environment without PowerShell, so it is important to implement security restrictions to prevent misuse of the tool. Almost every APT group uses PowerShell in attack chain”, – said John Bambenek, Chief Threat Search Specialist at Netenrich.