Endpoint

4/15/2016
03:14 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

PowerShell Increasingly Being Used To Hide Malicious Activity

Data from 1,100 security investigations shows PowerShell was used in 38 percent of cyberattacks

Threat actors often try to take advantage of native tools in operating systems to conceal malicious activities.

One tool that appears to be a particular favorite in this regard is the PowerShell command shell and scripting language that Microsoft has included with its Windows operating system since 2009.

Security firm Carbon Black recently analyzed data from 1,100 investigations conducted by more than two-dozen of its partners in 2015 to see how extensively PowerShell is being exploited in cyber attacks.

The data showed that in 38 percent of the investigated incidents, PowerShell was a part of the attack.  Some 31 percent of the victim organizations said they had no idea that PowerShell had been exploited and discovered that fact only after calling in someone to investigate security incidents.

The most common malicious activity carried out via PowerShell was command and control communications. The data also showed that threat actors, trying to move laterally across a network after breaking into it first, often used PowerShell to conceal their movement. Credential theft and privilege escalation were some of the other common malicious activities enabled via PowerShell.

More than 85 percent of the attacks leveraging PowerShell were what Carbon Black described as commodity attacks such as clickfraud, ransomware, fake antivirus and other opportunistic threats. Many of these attacks appeared focused on stealing customer and financial data, and intellectual property, or on disrupting services. About 13 percent of the attacks appeared targeted, according to Carbon Black.

PowerShell is commonly used to automate repetitive tasks and for system administration purposes. Administrators for instance often use it to access remote systems in order to query them and for executing commands on them.

What makes it an appealing target for compromise is the opportunity it gives attackers to hide malicious activity, Carbon Black said in its report. PowerShell is a ubiquitous part of the Windows environment and is used more for legitimate purposes than not. Therefore it serves as a perfect foil for threat actors to hide their activities, the Carbon Black report noted.

“Its ability to dynamically load and execute code without touching the file system makes it especially difficult to secure,” the company warned.

As is common with many multi-stage attacks these days, PowerShell compromises usual begin via a separate initial compromise enabled through a phishing email or some other social engineering tactic. In a typical attack, a victim might receive a specially crafted Microsoft Office document as an email attachment or as a download via a link in the email. Opening the document usually results in the user being prompted to disable their macro security.

“Many enterprises make extensive use of macros in spreadsheets and Word documents,” says Rico Valdez, senior threat researcher at Carbon Black in comments to Dark Reading. So a target might already be accustomed to disabling macros security to enable enhanced functionality in their docs, he said. “A well-crafted phish in which the target believes the document is coming from a trusted source might have the target believe the macros are legitimate.”

Enterprises need to be cognizant of the risks around PowerShell, Valdez says. What used to be considered a more sophisticated technique until relatively recently has entered the mainstream and is being used in all kinds of attacks, including commodity malware, he says. According to Carbon Black, the relatively easy availability of toolkits such as PowerSploit, PowerShell Empire, p0wnedShell have also made it simple for threat actors to co-opt PowerShell in cyberattacks.

The trend heightens the need for organizations to pay attention to things like setting standards for PowerShell usage, by, for instance, requiring only signed scripts to execute.

Organizations should also consider capturing and monitoring PowerShell executions and storing the log data centrally so an attacker cannot tamper with it. Administrators can then set up alerts on key indicators in the log data, Valdez says. Blocking PowerShell altogether is another option, though that might not always be possible, he says.

“Profile and understand how PowerShell is used in your environment, and watch for or block use that does not meet that profile,” Valdez says. “PowerShell pulling down scripts from the Internet, being invoked with specific parameters, or being launched by users or processes that are not typical in your environment can go a long way toward identifying and stopping these attacks.”

Related stories:

 

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GeethaR978
50%
50%
GeethaR978,
User Rank: Apprentice
4/16/2016 | 3:26:07 AM
informative
very informative. Helps to gain knowledge about new information and concepts.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.