Why you should disable PowerShell

Microsoft has now included Windows PowerShell in every version of Windows 10 and up. PowerShell is a great tool for automation and for easily making Windows scripts, much of a improvement over the Batch language. However for the average user I have some concerns of it being installed and enabled automatically. If PowerShell is such a good tool then why would I want it to be disabled by default you may be asking, well because with all that power comes the ability for it to be abused to infect users with hard to detect malware.
If you did not know its very easy to invoke PowerShell scripts through any application and bypass execution policy, you can put the command in a Batch script or built it into an EXE or even execute it using almost any programming language so invoking it is easier than you think especially as its included with all version of Windows so you always know its going to be in there. However just invoking is not the big issue as that would be the same with Batch, the issue is with two very interesting commands in PowerShell. Invoke-WebRequest and Invoke-Expression. For anyone with Python or Javascript knowledge Invoke-Expression is the equivalent of eval for these language, essentially you pass in a string of code and it will evaluate or execute it in memory. What does that mean? Well the string is in a variable which is stored in memory meaning its not stored on disk, then executed from there. This means that no code is even written to disk for anti-malware software to scan or to check. Now Invoke-WebRequest, this is the equivalent of requests in Python or fetch for Javascript. It uses HTTP to request data from a website.

So what the big issue with these two commands? Well what happens if lets say Invoke-WebRequest just so happens to request a website that has PowerShell code on it and then you pipe that into Invoke-Expression? Exactly what you expect, the PowerShell code is downloaded from the website and saved into memory, after that Invoke-Expression will read the code and start executing it in memory. This makes it very difficult to detect as everything is in memory and almost nothing is done on disk (depending on the code). Its especially harder to find as its running in PowerShell a file signed by Microsoft and distributed on every version of Windows 10 and above so most people would just ignore it.

So what can I do about it? Well if you don't use PowerShell then I would suggest removing it or disabling it so programs that attempt to abuse it will not function. You can do this by checking out this tutorial from TheWindowsClub. This will disallow PowerShell from executing. The other best way to to examine what you are downloading and executing, don't run scripts from websites or developers you don't trust. And by don't trust. Its NEVER a good idea to just copy a paste commands into PowerShell or CMD for ANY reason without knowing what you are about to execute and to do some research before doing so. 

Comments

Post a Comment

Popular posts from this blog

Danger in shortcuts

Image
Shortcuts, personally I never really use them. They link to a program slash file to run it or to make it easier to execute with arguments such as open minimized window. But I decided to give them a relook with the new Powershell program bundled in with all Windows installations and even released for Linux. Shortcuts if you did not know can pass arguments into the program or file it has been linked to. Usually you use this if for example you want to configure a program to launch silently using lets say a -silent flag. Well just add that into the shortcut and it will launch with that argument without having to open a shell. So what about Powershell? Well it has a interesting flag called " -Command ". The command flag allows you to pass a command or potentially even an entire script into the Powershell process that will be started. Interestingly this means an entire script can run in memory without being stored on disk at all, the most insane version of anti-malware avoidance. N
Read more

What does your VPN really do to your web traffic? (a deep dive into HTTPS)

Image
We have all seen the ads, right? If you have not, I would question how you are reading this article while turning your butter but anyway, let’s talk about VPNs (this is going to be spicy). I know we have also all heard about the "benefits" of using a VPN, such as "privacy", "security", and using that sketchy Wi-Fi that showed up while you were at the strip. So why don't we talk about what it does shall we?  First "privacy". Now yes, it might improve it to a point at least by masking your IP however there are so many other ways that you are tracked online that are not your IP that the benefit would be very little. For example, your browser dimensions, cookies, installed extensions, etc. These are all sent through the VPN and allow the service at the other end to identify you through the VPN anyway, and another point I made add. What do most people do with their VPN? I would say use services online, and what do most services have? A login! You’
Read more

Keeping your AV enabled and not extracting the ZIP

Image
Public Service  Announcement This is something I wanted to write a post about as it seems to still be getting lots of hits and fooling lots of people. I will wright the TLDR here so you can get the message now and read further if you want to learn more. If ANY program EVER tells you to disable your Anti-Malware solution PROCEED WITH EXTREAM CAUTION.  If you are ever provided with a password protected archive again PROCEED WITH EXTREAM CAUTION. Now that the TLDR is out of the way let me explain. There have been many campaigns that have been involving something in common, using a password protected zip file hosted with a page that contains both the password AND instructions to disable your Anti-Malware solution. The ZIP file then contains infected files usually Redline or alike however if the person follows the instructions as provided they would have disabled their Anti-Malware solution which would now not detect the sample. This is a common tactic used to distribute malware onto comput
Read more