That’s right, Microsoft’s CLI management tool was the source of more than a third of critical security threats detected by Cisco in the second half of 2020, according to eSecurity Planet.
Dual-use tool exploitation was the top threat category noted by Cisco, followed by ransomware, fileless malware, and credential dumping, with PowerShell a primary vector in those last two categories also.
“Based on Cisco’s research, PowerShell is the source of more than a third of critical threats,” noted Gedeon Hombrebueno, Endpoint Security Product Manager for Cisco Secure.
Cisco recommends a number of protection steps that are, of course, made easier with Cisco Secure Endpoint, and other EDR tools are effective against PowerShell exploits also.
But there are a number of steps admins can (and should) take that are completely free, like preventing or restricting PowerShell execution in non-admin accounts, allowing execution of signed scripts only, and using Constrained Language mode.
Read More: eSecurityPlanet.com