Since we have been using computers, we have been looking for a way for each machine’s administrators to better control the machines and take care of them. This is how we got PowerShell: Microsoft gave admins a command line tool that would be able to automate more and more tasks, from scripting across a network to fully deploying and managing a server with no graphical user interface.
Of course, with every good thing comes attackers that abuse it, and PowerShell is no exception. A recent attack that utilizes a malicious word attachment also used PowerShell commands to put a back door in the system, then used DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. While this process is not new, the recent headline use of PowerShell has led to some question if one can block PowerShell on their machines.
The first thing to know is that one truly cannot uninstall PowerShell from a system. Think of PowerShell like the DOS command line that is still hiding under the hood of the operating system: it’s a deep, embedded part of the operating system. However, that doesn’t mean you aren’t without options to better prevent the use of PowerShell by attackers.
The Use of PowerShell
First off, the key item to understand with PowerShell is that by default, it is only set to run PowerShell scripts that are signed. Second, PowerShell scripts can only be run with administrator rights. There are even times that we want to use PowerShell. I use it on my standalone Windows machines to uninstall various consumer apps from the Windows store by using a PowerShell script.
Enterprises have more options to block and control the use of malicious PowerShell through the use of AppLocker.AppLocker is a framework that network administrators can use to limit what applications can run on a system and only those specific applications that the administrator wants to run, will be allowed to run. However one needs to purchase Windows 10 Enterprise licenses in order to useAppLocker and a considerable infrastructure to manage it. For consumers and small businesses, we have a few third party options. One of them that I am using is White Cloud Security, which builds a trusted listing of applications based on what I have on my system. If any unknown software attempts to run on my system that I haven’t previously approved, a warning is thrown up and the application is blocked.