Speaking to Wired, Lee Holmes, principal software design engineer for PowerShell, describes how the company is now protecting the platform against would be hackers. PowerShell has become an open back door for cybercriminals, allowing them to access Windows, a PC, and even networks. Trickbots, password miners, and fileless attacks have all targeted PowerShell. The effectiveness is clear, with more than a third of cyberattacks linked to the tool. Clearly this is concerning for Microsoft as PowerShell is a valuable tool. Holmes explains admins are now getting some much-needed extra protection. Many admins rely on PowerShell to interact with Windows, controlling tasks across a network, configuring devices, and grant remote access. This versatility and network access makes PowerShell attractive to hackers. Without confidence in security, customers will potentially seek alternatives. Holmes says Microsoft knew from the start that the tool would be a go to for attackers: “We absolutely knew that PowerShell was going to be [appealing]. Attackers have job satisfaction as well,” he says. “But we’ve been laser-focused on PowerShell security since the very first version. We’ve always approached this in the context of larger system security.” Now open source, Microsoft is doing more to ensure safety with PowerShell. One key change regards how admins can track use across a network. Previously, there was no default log record. There was an activity log, but it was brief and most customers did not use it. With PowerShell 5.0 (launched in 2016), Microsoft brought significant improvements with expanded logging features. Customers can now see activity on a wider scale, stopping attackers from essentially operating in plain sight.
Shoring Up the Shell
However, Holmes acknowledges the cybercrime world moves fast and attackers are often a step ahead. Referencing a recent Advanced Persistent Threat 29 attack, recorded by Microsoft collaborator Mandiant, attackers will able to adapt to security measures: “As quickly as they were remediating machines, they were getting compromised again,” Holmes says “They knew that the attackers were using a combination of Python and command line tools and system utilities and PowerShell—all the stuff that’s out there.” By moving to the newer updated PowerShell 5.0, Mandiant could manage the attacks with the advanced logging features: “… So they updated the system to using the newer version that has the expanded logging, and suddenly they could look at the logs and see exactly what [the attackers] were doing, what machines they were connecting to, every single command they ran. It completely took away that veil of secrecy.” Expanded log tools are not the only defences in PowerShell’s arsenal. Microsoft has introduced a constrained language mode to give admins more control over which commands can be executed. Signature-based antivirus is another new addition.