Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I might be a bit biased working in offensive security, but 90% of the PowerShell I see in use is malicious.

Unfortunately Microsoft has let the genie out of the bottle, and most of the advancements in PowerShell security are centered around trying to add ACLs and logging to a scripting language, or figuring out how much of it you can disable and still have things work in production.

One of the best things we can hope to do going forward is sign on more Antivirus vendors to support Microsoft AMSI [1] which is basically a hook to pass PowerShell (and other scripting languages) off to your AV engine before they get executed.

1. https://msdn.microsoft.com/en-us/library/windows/desktop/dn8...



> Unfortunately Microsoft has let the genie out of the bottle

PowerShell has no more rights or power than the user it runs as. Anything you can do in PowerShell you could also do via WMI, Win32 API calls, etc.


>I might be a bit biased working in offensive security, but 90% of the PowerShell I see in use is malicious.

Yes you are, any competent Windows admin that needs to do things will probably be using PowerShell to do said things.


> I might be a bit biased working in offensive security, but 90% of the PowerShell I see in use is malicious. > > Unfortunately Microsoft has let the genie out of the bottle

And if you worked in that niche before PowerShell existed, you probably saw similar prevalence in PE/COFF use. Is it fair to say Microsoft "let the genie out" by allowing users of its operating system run software on it?




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: