• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Project of the Week
  • About Us
    SEARCH
Compliance, IT Infrastructure, Network Security, News

How to Secure PowerShell and Use it for Cybersecurity Defense

Cybersecurity agencies say organizations should take several steps to secure PowerShell and keep it from being used in cyberattacks.

July 6, 2022 Zachary Comeau Leave a Comment

PowerShell Cybersecurity

PowerShell is an incredibly effective tool that allows IT administrators to automate repetitive tasks and is particularly useful in helping to protect and manage the cybersecurity of Windows operating systems.

However, those same capabilities are just as useful for hackers after gaining initial access to a network,  with PowerShell scripts being used to weaken intrusion prevention systems, move laterally and maintain persistence.  According to cybersecurity researchers, the tool has been used in several notable incidents, including the Kaseya VSA compromise that led to a mass deployment of the REvil ransomware last year.

Several other threat actors have leveraged PowerShell to infect Word and Excel files with malware and spread fileless malware, according to new information provided by the U.S. Cybersecurity and Infrastructure Security Agency and a host of other nations’ cybersecurity agencies.

The new document released gives IT and cybersecurity professionals recommendations on how to secure PowerShell and prevent it from being used against the organization in the event of a cyberattack, rather than simply disabling PowerShell.

Make sure PowerShell is up to date

PowerShell 7.2 is the latest version of the scripting tool, and an earlier version, 5.1, is included with Windows 10+. However, version 7.2 can fully integrate with and access all components created for version 5.1. Agencies recommend disabling and uninstalling the “deprecated second version on Windows 10+,” as newer versions of PowerShell provide enhanced security measures.

PowerShell Remoting security

PowerShell includes built-in security features that enable administrators, analysts and users to remotely execute commands on Windows hosts. The underlying protocol used is Windows Remote Management (WinRM), and Kerberos or New Technology Lan Manager (NTLM) are the default authentication protocols. Those protocols do not send the actual credentials to remote hosts, thus avoiding direct exposure of credentials.

Agencies also advise organizations to configure Windows Firewall rules on endpoints to control permitted connections. The client and server editions of Windows include PowerShell remoting capabilities, but access to endpoints with PowerShell remoting requires the requesting user to have admin privileges at the destination by default. Enabling PowerShell remoting on private networks will introduce a Windows Firewall rule to accept all connections. Those rules can be customized to restrict connections to only trusted endpoints and networks to reduce lateral movement and harden networks.

According to the cybersecurity agencies, PowerShell 7 permits remote connections over Secure Shell in addition to WinRM connections, allowing for public key authentication and convenient and secure remote management. New capabilities can establish remote connections without requiring the use of HTTPS with SSL/TLS certificates. PowerShell over SSH does not require Trusted Hosts as when remoting over WinRM outside of a domain, allowing for secure remote management over SSH without a password for all commands and connections. This also allows for PowerShell remoting between Windows and Linux hosts.

Antimalware Scan Interface (AMSI) integration

The agencies also say the Antimalware Scan Interface feature, integrated into different Windows components, can scan for in-memory and dynamic file contents for malicious content using an anti-virus product registered with Windows. Built-in scripting languages, including PowerShell, use AMSI so that scripts are scanned by registered and supported anti-virus software.

Limiting PowerShell’s capabilities

Using AppLocker or Windows Defender Application Control, admins can block certain actions on a Windows host and cause PowerShell to operate in Constrained Language Mode, restricting PowerShell operations unless allowed by administrator defined policies, according to the agencies. This corrects an AppLocker script enforcement flaw that blocks PowerShell commands in a script but allows them interactively entered into the PowerShell command console. A proper configuration can prevent a malicious actor from gaining full control over a PowerShell session.

Detecting abuse

Organizations should maintain logs and monitor PowerShell activities to detect when malicious actors are leveraging the tool. However, deep script block logging, module logging and over-the-shoulder transcription are all disabled by default. The agencies recommend enabling those capabilities where feasible.

Deep script block logging records each PowerShell command in the Windows Event Log, while module logging captures the pipeline execution details of PowerShell. Meanwhile, over-the-shoulder transcription records every PowerShell input and output, whether functional or not, to help defenders decipher intended actions.

Don’t block PowerShell

Some organizations have taken to blocking PowerShell altogether to prevent malicious actors from utilizing the tool, but the agencies warn against that tactic, as it can hinder defensive capabilities that current versions of PowerShell provide.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Cybersecurity, PowerShell

Related Content:

  • Cloud, SASE, Aryaka How the Cloud is Redefining Media Production and…
  • Singlewire Software mass notification interview Singlewire Software on Mass Notification Solutions
  • URI catchbox 1 Catchbox Plus: The Mic Solution That Finally Gave…
  • Engaging virtual meeting with diverse participants discussing creative ideas in a bright office space during daylight hours Diversified Survey: Workplace AV Tech is Falling Short,…

Free downloadable guide you may like:

  • Practical Design Guide for Office SpacesPractical Design Guide for Office Spaces

    Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-face time with co-workers. When designing the office spaces — and meeting spaces in particular — enabling that connection between co-workers is crucial. But introducing the right collaboration technology in meeting spaces can […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Contact Us
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSYour Privacy ChoicesTERMS OF USEPRIVACY POLICY

© 2025 Emerald X, LLC. All rights reserved.