Increased use of powershell in attacks

Increased use of powershell in attacks

During maware creations, attackers are increasingly leveraging tools that already exist on targeted computers. This practice, often referred to as “living off the land”, allows their threats to blend in with common administration work, leave fewer artifacts, and make detection more difficult. Since Microsoft PowerShell is installed on Windows computers by default, it is an ideal candidate for attackers’ tool chain.

PowerShell is a powerful scripting language and shell framework primarily used on Windows computers. It has been around for more than 10 years, is used by many system administrators, and will replace the default command prompt on Windows in the future. 

According to Symantic below are the key findings,

  • Many targeted attack groups already use PowerShell in their attack chain
  • Attackers mainly use PowerShell as a downloader and for lateral movement
  • PowerShell is installed by default on Windows computers and leaves few traces for analysis, as the framework can execute payloads directly from memory
  • Organizations often don’t enable monitoring and extended logging on their computers, making PowerShell threats harder to detect
  • 95.4 percent of the PowerShell scripts analyzed through the Blue Coat sandbox were malicious
  • Currently, most attackers do not use obfuscated PowerShell threats. Only eight percent of these threat families implemented obfuscation
  • 55 percent of the analyzed PowerShell scripts were executed through cmd.exe
  • The most common PowerShell malware was a W97M.Downloader variant, making up 9.4 percent of these types of threats
  • The most commonly used PowerShell command-line argument was “NoProfile” (34 percent), followed by “WindowStyle” (24 percent), and “ExecutionPolicy” (23percent)
  • Over the last six months, we blocked an average of 466,028 emails with malicious JavaScript per day
  • Over the last six months, we blocked an average of 211,235 Word macro downloaders (W97M.Downloader) per day on the endpoint

Common cybercriminals and targeted attackers heavily use PowerShell, as its flexibility makes it an ideal attack tool.Microsoft introduced the PowerShell

scripting language and commandline shell in 2005, installing the framework on all new Windows versions by default. With the deployment of such a powerful scripting environment, security vendors predicted that attackers could use PowerShell in their campaigns. Back in 2004, Symantec discussed the risks seen with the beta version. 

PowerShell provides easy access to all major functions of the operating system. The versatility of PowerShell makes it an ideal candidate for any purpose, whether the user is a defender or attacker. The benefits for attackers have been discussed in various talks, such as this presentation by security researchers David Kennedy and Josh Kelley at Defcon 18 in 2010. In 2011, Matt Graeber released PowerSyringe, which allows easy DLL and shellcode injection into other processes through PowerShell. This research further encouraged penetration testers to develop and use offensive PowerShell scripts. 

As per Symantic The 10 top reasons why attackers use PowerShell are,

  • It is installed by default on all new Windows computers.
  • It can execute payloads directly from memory, making it stealthy.
  • It generates few traces by default, making it difficult to find under forensic analysis.
  • It has remote access capabilities by default with encrypted traffic.
  • As a script, it is easy to obfuscate and difficult to detect with traditional security tools.
  • Defenders often overlook it when hardening their systems.
  • It can bypass application-whitelisting tools depending on the configuration.
  • Many gateway sandboxes do not handle script-based malware well.
  • It has a growing community with ready available scripts.
  • Many system administrators use and trust the framework, allowing PowerShell malware to blend in with regular administration work.

Review below PDF link from Symantic which has a section to discuss the different stages of a PowerShell attack, how the framework is used to support the attacker’s goals, and what challenges the attackers face. 

----- PDF Link

According to Symantic the last two years, penetration tools and frameworks containing PowerShell have sharply risen. These tools often use new PowerShell methods that have not been seen much in malware yet. The community behind these tools is fast-growing and is quick to integrate new ideas. Many other non-PowerShell-specific tools, such as Metasploit, Veil, and Social Engineering Toolkit (SET), include the ability to generate PowerShell payloads and outputs. 

On the defender’s side, a range of PowerShell scripts exists to help us. For example, there are scripts that will generate honeypot files and watch them for ransomware trying to encrypt them. Other scripts create local tar pit folders, which mimic an endless recursive folder structure in an attempt to slow down the ransomware file enumeration process. Another concept uses PowerShell to disable network enumeration, which is often performed for lateral movement.

Adopting a multilayered approach to security minimizes the chance of infection. Symantec has a strategy that protects against malware, including PowerShell threats, in three stages:

  • Prevent: Block the incursion or infection and prevent the damage from occurring
  • Contain: Limit the spread of an attack in the event of a successful infection
  • Respond: Have an incident response process, learn from the attack, and improve defenses Preventing infection is by far the best outcome. 

To summarize Symantic says PowerShell allows attackers to perform malicious actions without deploying any additional binary files, increasing the chances of spreading their threats further without being detected. The fact that PowerShell is installed by default makes the framework a favored attack tool. Furthermore, PowerShell leaves few traces as extended logging is not activated by default.

Leave a comment