SecurityPowerShell is Top Attack Vector for Critical Security Threats: Research

PowerShell is Top Attack Vector for Critical Security Threats: Research

Paul Shread
By Paul Shread
SecurityServer News

ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

PowerShell was the source of more than a third of critical security threats detected by Cisco Secure Endpoint in the second half of 2020.

Dual-use tool exploitation was the top threat category detected by Cisco, followed by ransomware, fileless malware, and credential dumping, with PowerShell a primary vector in those last two categories also.

Ransomware has been in the headlines quite a bit, thanks to the devastating Colonial Pipeline attack, but it’s important for server admins to note that PowerShell is a significantly more common attack vector.

Cisco Secure Endpoint is an endpoint detection and response (EDR) tool, which can monitor endpoints like servers and PCs and respond to security breaches. Cisco recommends a number of protection steps that are, naturally, made easier with Cisco Secure Endpoint, and other EDR tools are also generally effective against PowerShell exploits.

PowerShell security steps

There are a number of steps admins can (and should) take that are completely free, like preventing or restricting PowerShell execution in non-admin accounts, allowing execution of signed scripts only, and using Constrained Language mode.

The Center for Internet Security offers a number of steps admins can take to help secure PowerShell.

Only network admins and other IT pros need access to the Microsoft command-line interface tool, CIS notes, so prevent or restrict its execution and allow execution of signed scripts only. Disable or restrict Windows Remote Management too.

CIS includes a tutorial for for managing Script Execution in Group Policy Settings.

To Turn on Script Execution in Group Policy settings:

  • Click Start Menu > Control Panel > System and Security > Administrative Tools
  • Create or Edit Group Policy Objects > Windows PowerShell > Turn on Script Execution

To Turn on Script Execution policy settings:

  • Disabling Turn on Script Execution will mean that scripts do not run and PowerShell is disabled
  • If you enable Turn on Script Execution, you can select the execution policy Allow only signed scripts

Digital risk management vendor Digital Shadows also offers a number of PowerShell security tips, including using Constrained Language mode, and NetSPI discusses 15 ways that PowerShell execution policies can be bypassed. PowerShell Protect is a downloadable tool that integrates with the Antimalware Scan Interface to audit and block scripts before they execute.

See more PowerShell news and tutorials

Get the Free Newsletter!
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter!
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.

Latest Posts

Related Stories

ServerWatch is an established resource for technology buyers looking to increase or improve their data center infrastructure. ServerWatch’s reviews, comparisons, tutorials, and guides help readers make informed purchase decisions around the hardware, software, security, management, and monitoring tools they use to innovate for employees and customers.

Advertisers

Advertise with TechnologyAdvice on ServerWatch and our other data and technology-focused platforms.

Advertise with Us

Menu

Our Brands

Property of TechnologyAdvice.
© 2023 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.