Microsoft has released new versions of PowerShell Core to fix a vulnerability (CVE-2019-1167) that can bypass Windows Defender Application Control (WDAC) enforcement to execute untrusted programmes. When WDAC is enabled, PowerShell will run in constrained language mode, which restrict access to sensitive language elements that can be used to invoke arbitrary Windows APIs. An attacker with access to a local machine can exploit CVE-2019-1167 to overcome PowerShell Core constrained language mode and use script debugging to execute any PowerShell modules. CVE-2019-1167 affects all PowerShell Core 6.0, PowerShell Core 6.1 versions prior to 6.1.5, and PowerShell Core 6.2 versions prior to 6.2.2. To determine the PowerShell version, users can execute the “pwsh -v” command from a Command Prompt. If the “pwsh” command does not run, the PowerShell version is obsolete and needs update.
System administrators are strongly advised to upgrade PowerShell Core to the latest version to mitigate against PowerShell abuses. A threat actor with access to a compromised system can “live-off-the-land” by using PowerShell to execute fileless attacks that are hard to detect. To identify potential PowerShell abuses, administrators can enable PowerShell logging from Group Policy and Registry to detect suspicious commands and arguments such as using PowerShell to make web requests or upload data via HTTP.
More Weekly Cyber Newsanalysis and insights
Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.
Ensign Systems Integration
Architecting and implementing cybersecurity solutions that bolster defences
Ensign Managed Security Services
Managing your security operations for advanced threat detection, continuous monitoring, and triage services