Weekly Comments

16 - 23 July 2019

Microsoft has released new versions of PowerShell Core to fix a vulnerability (CVE-2019-1167)

Microsoft has released new versions of PowerShell Core to fix a vulnerability (CVE-2019-1167) that can bypass Windows Defender Application Control (WDAC) enforcement to execute untrusted programmes. When WDAC is enabled, PowerShell will run in constrained language mode, which restrict access to sensitive language elements that can be used to invoke arbitrary Windows APIs. An attacker with access to a local machine can exploit CVE-2019-1167 to overcome PowerShell Core constrained language mode and use script debugging to execute any PowerShell modules. CVE-2019-1167 affects all PowerShell Core 6.0, PowerShell Core 6.1 versions prior to 6.1.5, and PowerShell Core 6.2 versions prior to 6.2.2. To determine the PowerShell version, users can execute the “pwsh -v” command from a Command Prompt. If the “pwsh” command does not run, the PowerShell version is obsolete and needs update.

System administrators are strongly advised to upgrade PowerShell Core to the latest version to mitigate against PowerShell abuses. A threat actor with access to a compromised system can “live-off-the-land” by using PowerShell to execute fileless attacks that are hard to detect. To identify potential PowerShell abuses, administrators can enable PowerShell logging from Group Policy and Registry to detect suspicious commands and arguments such as using PowerShell to make web requests or upload data via HTTP.

More Weekly Cyber Newsanalysis and insights

Ensign Consulting

Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.​

Ensign Systems Integration

Architecting and implementing cybersecurity solutions that bolster defences

Ensign Managed Security Services

Managing your security operations for advanced threat detection, continuous monitoring, and triage services

Ensign Labs

Performing deep research to analyse vulnerabilities, deploy advanced threat hunting and provide cyber threat intelligence