Allied Cybersecurity Agencies Advise Against Disabling Popular Tool for Cyberattackers

Risks associated with PowerShell—a Microsoft program that enables remote management and the automation of tasks—can be mitigated by proper configuration and removing it would come at a cost to security, according to a joint advisory from the Cybersecurity and Infrastructure Security Agency, the National Security Agency and their allied counterparts overseas.

“Many publicly-acknowledged cyber intrusions, including those by ransomware actors, have used PowerShell as a post-exploitation tool,” reads an advisory the U.S. agencies, along with their partners in New Zealand and the United Kingdom, published Wednesday. 

But the same attributes that make the tool attractive to attackers also facilitate more efficient defensive measures and enable crucial forensic analysis, as CISA noted after the intrusion campaign commonly referred to as “SolarWinds,” which the U.S. has since attributed to the Russian Foreign Intelligence Service. 

The adversary’s infiltration of that IT management firm’s operation to trojanize malware in a routine software update gave name to sweeping compromises that affected at least nine federal agencies. But it also involved crafty maneuvers using Microsoft’s Active Directory Federation Services to move laterally across victim networks by uncovering and adopting legitimate credentials.

The agencies explained how “PowerShell remoting,” for example, can address that issue.

“PowerShell remoting is a Windows capability that enables administrators, cybersecurity analysts and users to remotely execute commands on Windows hosts,” the advisory reads. “Windows Remote Management (WinRM) is the underlying protocol used by PowerShell remoting and uses Kerberos or New Technology LAN Manager (NTLM) as the default authentication protocols. These authentication protocols do not send the actual credentials to remote hosts, avoiding direct exposure of credentials and risk of theft through revealed credentials.”

As with cloud computing in general, the chief mitigating measure to consider where PowerShell is a factor is proper configuration of access authorization, which is not usually the default scenario.

“Enabling PowerShell remoting on private networks will introduce a Windows Firewall rule to accept all connections,” the agencies wrote. “The permission requirement and Windows Firewall rules are customizable for restricting connections to only trusted endpoints and networks to reduce lateral movement opportunities. Organizations can implement these rules to harden network security where feasible.”