Press Release | June 22, 2022

NSA, Partners Recommend Properly Configuring, Monitoring PowerShell in New Report

FORT MEADE, Md. — The National Security Agency (NSA) and partner cybersecurity authorities released a Cybersecurity Information Sheet today recommending that Microsoft Windows® operators and administrators properly configure and monitor PowerShell to prevent and detect abuse by malicious actors.
 
NSA, the Cybersecurity and Infrastructure Security Agency (CISA), and the New Zealand and UK National Cybersecurity Centres developed “Keeping PowerShell: Security Measures to Use and Embrace” to help Windows operators and administrators understand how PowerShell supports system maintenance, forensics, automation, and security.
 
PowerShell is a scripting language and command line tool included with Microsoft Windows that provides many features, including the ability to automate tasks, improve incident response and enable forensics efforts. However, the same extensibility, ease of use, and availability that aids net defenders also provides an opportunity for malicious cyber actors, who have often abused PowerShell after gaining access to victim networks.
 
This has prompted some net defenders to disable or remove the Windows tool. NSA and its partners advise against doing so, and instead recommend following the guidance in this advisory to properly configure and monitor the tool. Recent versions of PowerShell include improved defensive capabilities, including ways to counter PowerShell abuse. The report outlines security features in PowerShell that help with protecting credentials, remote management configurations, anti-virus scanning and logging.
 
Read the full report here.
 
Visit our full library for more cybersecurity information and technical guidance.