The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), along with international partners, published guidance last week for cyber defenders that advises them to not remove PowerShell – Microsoft’s built-in command-line tool with Windows – but to properly configure it.
CISA and the NSA released a joint Cybersecurity Information Sheet (CIS) on the PowerShell scripting language on June 22, along with the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom National Cyber Security Centre (NCSC-UK).
The agencies note that PowerShell’s “extensibility, ease of use, and availability” make it an easy target for malicious cyber actors. However, they warn against obstructing PowerShell’s functionality and instead urge defenders to take action to mitigate cyber threats.
“Blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide, and prevents components of the Windows operating system from running properly,” the CIS says. “Recent versions of PowerShell with improved capabilities and options can assist defenders in countering abuse of PowerShell.”
PowerShell 7.2 is the latest release, offering “enhanced security measures.” The agencies recommend “explicitly disabling and uninstalling the deprecated second version of PowerShell (i.e., Version 2) on Windows 10+” to best protect against cyber threats.
The agencies also recommend organizations use the built-in Windows security features available in PowerShell “where feasible.” They recommend enabling deep script block logging, over-the-shoulder transcription, authentication procedures, and remote access over Secure Shell (SSH), which are disabled by default.