In second place was ransomware<\/a>, and after the recent Colonial Pipeline hack<\/a> probably needs no further comment.<\/p>\n The third most frequently detected critical Indicator of Compromise (IoC) group was fileless malware – also a common PowerShell threat. This type of malware<\/a> does not use executable files and has no signature, making it challenging to detect. Fileless malware often manifests itself via suspicious process injections and registry activity. Common fileless malware types include Kovter, Poweliks, Divergent, and Lemon Duck.<\/p>\n Dual-use tools were also responsible for the fourth most common threat: Credential dumping, which is used by hackers to scrape login credentials from a compromised machine. The most commonly detected tool was Mimikatz, which Cisco Secure Endpoint caught dumping credentials from memory.<\/p>\n Those four categories are responsible for more than 80 percent of critical IoCs. The rest include threats like worms, remote access trojans (RATs), and banking trojans, with a mix of various downloaders, wipers, and rootkits.<\/p>\n “Based on Cisco’s research, PowerShell is the source of more than a third of critical threats,” noted Gedeon Hombrebueno, Endpoint Security Product Manager for Cisco Secure.<\/p>\n Hombrebueno told eSecurity Planet<\/em> that a “layered approach” is needed to secure PowerShell and other tools and utilities:<\/p>\n Hombrebueno said Cisco Secure Endpoint can help with all those practices “without the added complexity.”<\/p>\n Cisco Secure Endpoint is one of our top endpoint detection and response (EDR) products<\/a>. EDR tools are generally effective against PowerShell attacks.<\/p>\n See also: MITRE Protection Tests Shed New Light on Endpoint Security<\/a><\/p>\n The Center for Internet Security offers a number of steps admins can take<\/a> to help secure PowerShell, Microsoft’s command-line interface management tool for Windows and Windows Server.<\/p>\n First, only network admins and other IT pros need access to the Microsoft command-line interface tool, so prevent or restrict its execution and allow execution of signed scripts only. Disable or restrict Windows Remote Management while you’re at it.<\/p>\n CIS includes a tutorial for for managing Script Execution in Group Policy Settings.<\/p>\n To Turn on Script Execution in Group Policy settings:<\/p>\n To Turn on Script Execution policy settings:<\/p>\n Digital risk management vendor Digital Shadows also offers a number of PowerShell security tips<\/a>, including using Constrained Language mode, and NetSPI discusses 15 ways that PowerShell execution policies can be bypassed<\/a>. PowerShell Protect<\/a> is a downloadable tool that integrates with the Antimalware Scan Interface to audit and block scripts before they execute. <\/span><\/p>\n \n\n\n![\"PowerShell](\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2021\/05\/powershell-security-threats.jpg\")
<\/p>\nProtecting PowerShell from Hackers<\/h2>\n
\n
How To Secure PowerShell<\/h2>\n
\n
\n