×

Powershell control and protection

PowerShell Control and Protection

Edgewise stops malicious use of PowerShell while protecting approved IT operations. Administration is greatly simplified by automated policies built by machine learning. Using zero trust networking, Edgewise allows only verified PowerShell communications to prevent lateral movement of attackers.

Living of the land - How valid tools are used for malicious activity

PowerShell is a powerful scripting and automation tool commonly used to administrator Windows and Linux systems. This highly customizable tool is enabled by default on all modern versions of Windows and is set as the default shell on the latest versions of Windows. Adversaries exploit the versatility and broad utility of PowerShell for malicious use, including connecting to remote systems to move laterally in the target environment, making unauthorized connections to the internet to download payloads, and establishing backchannels for command and control.

Examples of malicious PowerShell use include:

 
Emotet Banking Trojan

Emotet trojan which targets banking and financial institutions to steal financial information. The “Emotet Banking Trojan Leverages MS Office Word Docs, PowerShell to Deliver Malware”1

Operation PowerShell Olympics

Operation PowerShell Olympics, aka Olympic Destroyer which disrupted the 2018 Winter Olympics in South Korea. It “temporarily paralyzed IT systems ahead of opening ceremonies, shutting down display monitors, killing Wi-Fi, and taking down the Olympics website so that visitors were unable to print tickets.”2

Deep Panda

Deep Panda, a suspected Chinese threat group, whose targets include government,defense, financial, telecommunications and healthcare companies. The attack on Anthem, attributed to Deep Panda, used PowerShell to download and execute malicious software.3

1 https://www.carbonblack.com/2018/06/04/carbon-black-tau-threat-analysis-emotet-banking-trojan-leverages-ms-office-word-docs-powershell-deliver-malware/
2 https://www.wired.com/story/olympic-destroyer-malware-pyeongchang-opening-ceremony/
3 https://attack.mitre.org/groups/G0009/

Shortcomings of existing mitigations

Shortcomings of existing mitigations

Lateral movement is a key tactic of adversaries using PowerShell and existing mitigations unable to effectively distinguish between approved and unapproved or malicious communications. Also, most tools are reactive and run the risk of limited effectiveness after the damage has already occurred. Attempts to proactively limit PowerShell use increases operational complexity and manual effort while hindering legitimate IT operations.

Edgewise For PowerShell Control

 
powershell-control@2x

Edgewise 1-Click Auto-Segmentation makes it impossibly simple for
 IT operations to control PowerShell and allow legitimate activity while stopping malicious use and exploitation for lateral movement. The differentiated value provided by Edgewise includes:

  • Prevent download of malicious payloads from the internet by reducing the scope of remote systems (including public internet addresses) that PowerShell can connect to
  • Prevent PowerShell from being misused for lateral movement by allowing only administrator clients to connect to client services. Further reduce the risk of lateral movement by preventing PowerShell communication between servers
  • Simplify IT operations with policies automatically built by Edgewise’s Policy Recommendation Engine
  • Achieve provable security outcomes with Exposure Risk Analysis that measures the reduction in network attack surface with Edgewise
  • Gain Zero Trust security for your admin tools with software identity verification
  • Adaptive PowerShell control that automatically adjusts to legitimate changes in PowerShell use
  • Monitor PowerShell activity by reviewing logs in Edgewise or export rich data to SIEMs security monitoring tools via the API.