Powershell

Hi all. I'm wondering what you all might be doing to restrict the use of powershell in your organizations? I know there are standard restrictions and bypasses on those, and i've been told that blocking powershell entirely breaks stuff. So what are you doing?

Find more posts tagged with

Comments

636-555-3226

Uninstall it. As part of my build process we use it to deploy images/software and one of the last steps is uninstalling it. Most workstations & servers have no need of it. Yes, PS can be very useful, but it can also be very destructive in the right hands (I'm looking at you PowerShellMafia, PowerShellEmpire, et al).

If you have the infrastructure, you might also be able to set up your IPS to detect & kill & alert any PS traffic it sees unless it's coming from the 3 or 4 admin boxes you've previously identified as being OK to use PS. If you've got a PS alert coming from a workstation that shouldn't have anything to do with PS, time to parking lot that switchport and vlan yourself over to sneaknet to see what's up.

SaSkiller

I was told that blocking powershell can wreck modern windows OS' due to some kind of weird integration with the OS, it uses PS even when someone isn't using it directly?

RomBUS

SaSkiller wrote: »

I was told that blocking powershell can wreck modern windows OS' due to some kind of weird integration with the OS, it uses PS even when someone isn't using it directly?

Hmm I haven't heard that. Usually when performing GUI tasks in Server OS it will display the PowerShell equivalent of what you are about to perform.

dmoore44

636-555-3226 wrote: »

Uninstall it. As part of my build process we use it to deploy images/software and one of the last steps is uninstalling it. Most workstations & servers have no need of it. Yes, PS can be very useful, but it can also be very destructive in the right hands (I'm looking at you PowerShellMafia, PowerShellEmpire, et al).

If you have the infrastructure, you might also be able to set up your IPS to detect & kill & alert any PS traffic it sees unless it's coming from the 3 or 4 admin boxes you've previously identified as being OK to use PS. If you've got a PS alert coming from a workstation that shouldn't have anything to do with PS, time to parking lot that switchport and vlan yourself over to sneaknet to see what's up.

Don't uninstall it! There are those of us that work in Hunt and IR roles and having POSH throughout the environment is vital!

Instead, take a look at these articles on creating WMI providers for logging:
1. https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html
2. https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/

And this one on Powershell logging: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

Or, if you want a turnkey solution, check out Windows Logging Service: https://digirati82.com/wls-information/ (there is a license fee)

Anyway, my overall point is not to restrict your administrative and IR capabilities. Yes, Powershell can be used to harm, but much like any tool, its also used for good. As an alternate context, would you also choose to uninstall common *nix tools and utilities like Bash, Python, and Perl? Of course not - your *nix admins would crap out enough bricks to build a house if you tried!

dmoore44

For the interested, here's one more blog post on POSH security: https://blogs.technet.microsoft.com/ashleymcglone/2016/06/29/whos-afraid-of-powershell-security/

gespenstern

You should enable both cmd and posh logging and send the events to your SIEM instead of disabling it.

PoSh is actually no more harmful than vbscript that existed for years. I wonder if you want to block WSH in your environment, just for the sake of consistency.

Also, even if you disable all the advanced scripting many things still can be done via cmd/bat shell many people underestimate. I can do wonders with proper use.

Even if you disable all the scripting, I can use a compiled in VS code. Or you are up to prohibiting Windows API?

Dojiscalper

disabling it would be pretty bad considering MS is pushing it hard for automation and server 2012 GUI is just a GUI on top of powershell.

636-555-3226

We still allow it for admins & on necessary servers. Otherwise it's not installed or blocked. I'd ask the OP if he's using PowerShell for anything. If not, why have it installed? I recommend a minimum footprint on all devices, and I esp. recommend not installing things you aren't using. If you want to install PS in case you might need it in the future, then why not go ahead and install the free trial of WinRAR in case your unarchiver of choice goes offline at some indeterminate point in the future?

If you want to keep it installed everywhere to help with the "detection" as part of your incident response plan, then that's your tactic. I prefer to focus on the "prevention" phase before "detection." If I can prevent or minimize PS exploits at no harm to IT administration, then why not do it? Yes, there are workarounds if PS isn't there, but there are workarounds to everything. We prefer to layer defense in depth. Not every hacker on my network can easily script up bat files to do the same thing PS can do. Not every hacker can use VS.