Why you should disable PowerShell

Microsoft has now included Windows PowerShell in every version of Windows 10 and up. PowerShell is a great tool for automation and for easily making Windows scripts, much of a improvement over the Batch language. However for the average user I have some concerns of it being installed and enabled automatically. If PowerShell is such a good tool then why would I want it to be disabled by default you may be asking, well because with all that power comes the ability for it to be abused to infect users with hard to detect malware.
If you did not know its very easy to invoke PowerShell scripts through any application and bypass execution policy, you can put the command in a Batch script or built it into an EXE or even execute it using almost any programming language so invoking it is easier than you think especially as its included with all version of Windows so you always know its going to be in there. However just invoking is not the big issue as that would be the same with Batch, the issue is with two very interesting commands in PowerShell. Invoke-WebRequest and Invoke-Expression. For anyone with Python or Javascript knowledge Invoke-Expression is the equivalent of eval for these language, essentially you pass in a string of code and it will evaluate or execute it in memory. What does that mean? Well the string is in a variable which is stored in memory meaning its not stored on disk, then executed from there. This means that no code is even written to disk for anti-malware software to scan or to check. Now Invoke-WebRequest, this is the equivalent of requests in Python or fetch for Javascript. It uses HTTP to request data from a website.

So what the big issue with these two commands? Well what happens if lets say Invoke-WebRequest just so happens to request a website that has PowerShell code on it and then you pipe that into Invoke-Expression? Exactly what you expect, the PowerShell code is downloaded from the website and saved into memory, after that Invoke-Expression will read the code and start executing it in memory. This makes it very difficult to detect as everything is in memory and almost nothing is done on disk (depending on the code). Its especially harder to find as its running in PowerShell a file signed by Microsoft and distributed on every version of Windows 10 and above so most people would just ignore it.

So what can I do about it? Well if you don't use PowerShell then I would suggest removing it or disabling it so programs that attempt to abuse it will not function. You can do this by checking out this tutorial from TheWindowsClub. This will disallow PowerShell from executing. The other best way to to examine what you are downloading and executing, don't run scripts from websites or developers you don't trust. And by don't trust. Its NEVER a good idea to just copy a paste commands into PowerShell or CMD for ANY reason without knowing what you are about to execute and to do some research before doing so. 

Comments

Popular posts from this blog

What does your VPN really do to your web traffic? (a deep dive into HTTPS)

Keeping your AV enabled and not extracting the ZIP

Danger in shortcuts