With the introduction in mind, this question frequently comes up. The answer to this question is very often given as yes by enterprise companies, and therefore we are seeing many enterprise companies disallowing the use of PowerShell and PowerShell remoting, and even trying even to prevent the execution of PowerShell at all. But blocking PowerShell doesn’t address the real security problem. It just removes your most secure shell and scripting language.

PowerShell is a powerful programming language, completely object-oriented and based on .NET. Many cmdlets have been created for nearly every Microsoft technology to manage, administrate, and automate tasks, which would normally take much more time being implemented manually. But PowerShell is always executed with the rights the user already has. PowerShell does not provide any new capabilities that would not be usable in a different way. Every attack that uses PowerShell could also be accomplished with other languages and mechanisms. So, securing PowerShell also means securing your complete environment.

Lee Holmes did a comparison in 2017 and compared the most well known shell and scripting languages in the following categories:

• Event Logging
• Transcription
• Dynamic Evaluation Logging
• Application Whitelisting 
• Antimalware Integration
• Local Sandboxing
• Remote Sandboxing
• Untrusted Input Tracking 

From his results, PowerShell clearly won this battle and is therefore the best language for automating and delegating tasks with higher privileges.

But why, then, are so many hackers using PowerShell?

We already answered this question before, but will give a clear answer on this.

PowerShell is a neutral and very powerful administration tool, and attackers use Powershell for the same reasons admins do. It can be used with all its capabilities to create dynamically extendable and structured code, which provides a high grade of automation, and comes already armed with cmdlets to simplify complex tasks for most use cases. In addition, you can include dedicated low-level tasks, as it is completely based on .NET and therefore provides ways of executing your own C# libraries or even to directly call the Windows API and its functions.

You can automate (almost) everything with PowerShell.

PowerShell version 5 and its integrated logging and controlling capabilities however really made a difference:

Attackers will leave their fingerprints on the machines and you, as a defender, will be able to completely control the execution of PowerShell code in your environment.

And this, we are going to prove throughout the chapter.