PowerShell was the source of more than a third of the critical security vulnerabilities identified in the second half of 2020, according to a Cisco survey released today at an RSA conference.
The top threat category identified across all Cisco Secure Endpoints were dual-use tools used for both exploitation and post-exploitation work.
PowerShell Empire, Cobalt Strike, PowerSploit, Metasploit and other similar tools have legal uses, Cisco said in its research, but they have also become tools commonly used by intruders. Such practices are used to avoid detection when running foreign tools or code for system breaches.
"With base την έρευνα της Cisco, το PowerShell είναι η πηγή περισσότερων από το ένα τρίτο των κρίσιμων απειλών”, αναφέρει ο Gedeon Hombrebueno, Διαχειριστής προϊόντων Endpoint Security by Cisco Secure.
Cisco recommends some protection steps that of course are facilitated with Cisco Secure Endpoint, but also some other EDR tools (from the endpoint detection and response).
However, there are some steps that administrators can (and should) do completely free of charge, such as prevention or restricting PowerShell from running to accounts except of the administrator, allowing only signed scripts to run and the Constrained Language feature to be used.
You can read detailed instructions for protecting PowerShell in the following white paper or try it PowerShell Protect
Intel Insights: How to Secure PowerShell