Iranian Cyber Threat: Limit Usage of PowerShell

January 8, 2020

In the wake of the recent U.S. military strike that killed Iranian General Qasem Soleimani, experts are warning about the heightened potential for an Iranian cyber response.

On Monday, the Cybersecurity and Infrastructure Security Agency (CISA) issued a release from the National Cyber Awareness System in light of the current tensions between the two countries. Calling the notification, “a primer for assisting in the protection of our Nation’s critical infrastructure” and referencing, “Iran’s historic use of cyber offensive activities to retaliate against perceived actions,” the bulletin laid out recommended actions to reduce vulnerability.

CISA Cyber Awareness Alert

Among them is a warning to log and limit usage of PowerShell, specifically the following:

“Limit the usage of PowerShell to only users and accounts that need it, enable code signing of PowerShell scripts, and enable logging of all PowerShell commands.”

PowerShell is a favorite vehicle for bad actors to quickly scale their cyber-attacks and help them move laterally to discover sensitive assets. Symantec’s Internet Security Threat Report dated February 2019 tells us that PowerShell usage is now a staple of both cyber-crime and targeted attacks—reflected by a massive 1,000 percent increase in malicious PowerShell scripts blocked in 2018.

PowerShell provides a method to transmit commands to other systems for local execution, leveraging the WinRM or Windows Remote Management service. It’s either 1:1 to a single remote computer or 1:many to potentially hundreds of computers with a single command. So the attacker can establish persistent connections, interactive sessions, and remotely execute scripts. This capability is enabled by default on Windows Servers after 2012 R2.

Per the CISA warning, it’s clear why a recommended action is to limit PowerShell’s use. Clearly powerful with potential risks, it’s a prime target for attackers and something we need to lock down. But often good intentions and positive actions do not align.

This is where Centrify’s PowerShell Access Right comes into play to close this exposure across the enterprise. If your systems are joined to a Centrify Zone, even with the total compromise of a domain administrator account, an attacker will not be able to remote into those systems or execute remote commands via PowerShell remoting. 

View the demo video below to learn more about this feature – it could just save you from an imminent attack.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.