InsecurePowerShellHost is a .NET Core host process for InsecurePowerShell, a version of PowerShell Core with key security features removed.
InsecurePowershell is a fork of PowerShell Core v6.0.0, with key security features removed. InsecurePowerShell removes the following security features from PowerShell:
- AMSI -
InsecurePowerShelldoes not submit any PowerShell code to the AMSI, even when there is an actively listening AntiMalware Provider.
- PowerShell Logging -
InsecurePowerShelldisables ScriptBlockLogging, Module Logging, and Transcription Logging. Even if they are enabled in Group Policy, these settings are ignored.
- LanguageModes -
InsecurePowerShellalways runs PowerShell code in
FullLanguagemode. Attempting to set
InsecurePowerShellto alternative LanguageModes, such as
RestrictedLanguagemode does not take any affect.
- ETW -
InsecurePowerShelldoes not utilize ETW (Event Tracing for Windows).
More details are available here.