The report recommends setting standards for how PowerShell should be used:
- Change ExecutionPolicy to only allow signed scripts to run.
- Require all PowerShell scripts to be run from a specific location or path.
- Discourage (or require exception for) the use of encoded parameters on the command line.
- Discourage (or block) PowerShell scripts from downloading content from the Internet (or specify a “whitelist” of allowed IP addresses only).
- Discourage (or block) the use of PowerShell to invoke commands on remote systems.
- Require a custom parameter to be passed on all “legitimate” PowerShell usage.
- Restrict PowerShell to specific users in your organization.
- Require PowerShell to be launched from a specific process.
A relatively new iteration of ransomware called PowerWare is an example of PowerShell used maliciously. Distributed mainly via phishing attacks, PowerWare initiates as macros within emailed Word attachments. The macros launch an .exe file that starts up two PowerShell instances, one to download the ransomware script and the other to implement it.
PowerShell gives the attacker freedom of movement within the compromised network. “You become an employee of your target,” Johnson says.
Sign up for CIO Asia eNewsletters.