Microsoft: Defending Against PowerShell Attacks
The security industry is ablaze with news about how PowerShell is being used by both commodity malware and attackers alike. Surely there’s got to be a way to defend yourself against these attacks!There absolutely is. PowerShell is – by far – the most securable and security-transparent shell, scripting language, or programming language available.
Our recommendations are:
- Deploy PowerShell v5, built into Windows 10. Alternatively, you can deploy the Windows Management Framework, available down to and including Windows 7 / Windows Server 2008r2.
- Enable, and collect PowerShell logs, optionally including Protected Event Logging. Incorporate these logs into your signatures, hunting, and incident response workflows.
- Implement Just Enough Administration on high-value systems to eliminate or reduce unconstrained administrative access to those systems.
- Deploy Device Guard / Application Control policies to allow pre-approved administrative tasks to use the full capability of the PowerShell language, while limiting interactive and unapproved use to a limited subset of the PowerShell language.
- Deploy Windows 10 to give your antivirus provider full access to all content (including content generated or de-obfuscated at runtime) processed by Windows Scripting Hosts including PowerShell.
For further information about these steps and solutions, please see the much more detailed presentation: “Defending Against PowerShell Attacks“.
Read the entire article here, Defending Against PowerShell Attacks | PowerShell Team Blog
Via the fine folks at Microsoft.