NSA, partners unveil PowerShell guidance

The National Security Agency and Cybersecurity and Infrastructure Security Agency, as well as cybersecurity centers in New Zealand and the U.K., have urged system administrators to leverage PowerShell for malicious Windows machine activity detection and prevention, reports BleepingComputer. System administrators have been advised to enable PowerShell remoting to protect plain-text credentials, as well as include only trusted endpoints in Windows Firewall to mitigate lateral movement risk. Moreover, the Secure Shell protocol in PowerShell 7 could also be used for remote connections, according to the agencies. The agencies also recommended configuring Windows Defender Application Control or AppLocker to curb potential exploitation of PowerShell sessions. "Blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide, and prevents components of the Windows operating system from running properly. Recent versions of PowerShell with improved capabilities and options can assist defenders in countering abuse of PowerShell," said the agencies in the joint advisory.