PowerShell is Microsoft’s command-line scripting and automation platform. It was introduced by the company in 2006 as a way for administrators to perform configuration and administrative tasks, such as adding or deleting users, across multiple servers simultaneously. All of Microsoft’s products can be managed through PowerShell.
Admins like using PowerShell because it saves them so much time and effort configuring Windows for their organization. It also helps them access hard-to-find user information. And it’s very easy to use.
PowerShell is very powerful. But the question is, is it too powerful? For one particular section of the population, that answer is yes.
While certainly convenient, PowerShell access - especially remote access - is incredibly risky and a prime target for cybercriminals who can gain full network access to an organization’s most sensitive data and file systems. Once they’ve gained access, PowerShell gives hackers control of the full command line and operating systems.
In its 2019 IBM X-Force Threat Intelligence Index, IBM noticed a trend of cybercriminals targeting administrative tools such as PowerShell as opposed to using malware. The report concluded that they were doing this in response to the massive increase in security measures with a primary focus on preventing ransomware attacks. Most security software whitelists PowerShell and treats it as a trusted application, which makes it ripe for hacking. A hacker can run fileless malware in the system’s memory as opposed to downloading it on a local machine. Since they’re not trying to load executable files, an antivirus program won’t detect anything. This process can cause quite a lot of damage before the IT department is even aware they’ve been hacked, as the commands appear to be legitimately coming from administrators.
There are many examples of high-level security incidents that have happened as a result of bad actors accessing PowerShell, including the 2017 Equifax breach and the Gold Dragon malware attack that targeted the 2018 Winter Olympics. Earlier this year, Microsoft detected a North Korean hacker group that was targeting security and tech companies through social media by using a PowerShell command to launch malware.
In July, The Federal Bureau of Investigation (FBI), National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and the UK’s National Cybersecurity Centre (NCSC) came out with a joint advisory about continuing attacks on companies using Microsoft 365 cloud services. The report detailed an increase in brute force attacks on Microsoft 365 email and user accounts. State-sponsored hackers were using compromised accounts with Global Administrator privileges to collect email from user inboxes. Industries affected included government, military, political, energy, logistics, higher education, media, and more.
Another way PowerShell makes it easy for cybercriminals to attack is the fact that it offers way too much control to lower-level IT staff. These managers may be giving the wrong access privileges to employees who are then targeted through phishing campaigns or bad password practices.
With the threat landscape continuing to grow more volatile as hackers find new and more stealthy ways to infiltrate networks, organizations have to consider a more holistic approach to security. And while PowerShell certainly provides a lot of benefits for Microsoft 365 admins, the key to ultimately reaping its rewards is to keep all of that power out of the hands of the hackers.
So, what can you do to prevent your organization from becoming the next PowerShell target?
The first place to start would be with all of the security tools you already have available to you from Microsoft, such as Defender, its anti-malware program, and Secure Score, which offers tools that show you how well your organization is complying with certain security best practices. In addition, you should have a thorough understanding of all of the external cloud apps your employees are using besides Microsoft products. It is also very important to limit who has remote access to PowerShell.
The joint security advisory mentioned previously recommends network managers adopt and expand multi-factor authentication to help battle some of the most common PowerShell attacks. They also encourage strong access and password controls along with implementing a Zero-Trust security model, which requires you to explicitly verify users and give them only the least network privileges necessary to do their jobs.
CoreView provides all of these solutions and gives you better PowerShell rights management by limiting who has remote access. Our Functional Access Control gives you laser-focus on all your Microsoft 365 permissions and privileges and our platform extends the Microsoft Admin Centers to provide a single bird’s eye view of everything that’s going on. Also, CoreView’s Custom Actions for Microsoft Office 365 PowerShell Commands allow admins the ability to secure accounts with a single CoreView service account. This makes your network much less vulnerable to cyber-attacks. For extra security peace of mind, we also provide real-time automated alerts for compliance issues.
If you’re looking to protect your organization from the next PowerShell security breach, we can help. Schedule your personalized CoreView demo today.