Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/15/2016
03:14 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

PowerShell Increasingly Being Used To Hide Malicious Activity

Data from 1,100 security investigations shows PowerShell was used in 38 percent of cyberattacks

Threat actors often try to take advantage of native tools in operating systems to conceal malicious activities.

One tool that appears to be a particular favorite in this regard is the PowerShell command shell and scripting language that Microsoft has included with its Windows operating system since 2009.

Security firm Carbon Black recently analyzed data from 1,100 investigations conducted by more than two-dozen of its partners in 2015 to see how extensively PowerShell is being exploited in cyber attacks.

The data showed that in 38 percent of the investigated incidents, PowerShell was a part of the attack.  Some 31 percent of the victim organizations said they had no idea that PowerShell had been exploited and discovered that fact only after calling in someone to investigate security incidents.

The most common malicious activity carried out via PowerShell was command and control communications. The data also showed that threat actors, trying to move laterally across a network after breaking into it first, often used PowerShell to conceal their movement. Credential theft and privilege escalation were some of the other common malicious activities enabled via PowerShell.

More than 85 percent of the attacks leveraging PowerShell were what Carbon Black described as commodity attacks such as clickfraud, ransomware, fake antivirus and other opportunistic threats. Many of these attacks appeared focused on stealing customer and financial data, and intellectual property, or on disrupting services. About 13 percent of the attacks appeared targeted, according to Carbon Black.

PowerShell is commonly used to automate repetitive tasks and for system administration purposes. Administrators for instance often use it to access remote systems in order to query them and for executing commands on them.

What makes it an appealing target for compromise is the opportunity it gives attackers to hide malicious activity, Carbon Black said in its report. PowerShell is a ubiquitous part of the Windows environment and is used more for legitimate purposes than not. Therefore it serves as a perfect foil for threat actors to hide their activities, the Carbon Black report noted.

“Its ability to dynamically load and execute code without touching the file system makes it especially difficult to secure,” the company warned.

As is common with many multi-stage attacks these days, PowerShell compromises usual begin via a separate initial compromise enabled through a phishing email or some other social engineering tactic. In a typical attack, a victim might receive a specially crafted Microsoft Office document as an email attachment or as a download via a link in the email. Opening the document usually results in the user being prompted to disable their macro security.

“Many enterprises make extensive use of macros in spreadsheets and Word documents,” says Rico Valdez, senior threat researcher at Carbon Black in comments to Dark Reading. So a target might already be accustomed to disabling macros security to enable enhanced functionality in their docs, he said. “A well-crafted phish in which the target believes the document is coming from a trusted source might have the target believe the macros are legitimate.”

Enterprises need to be cognizant of the risks around PowerShell, Valdez says. What used to be considered a more sophisticated technique until relatively recently has entered the mainstream and is being used in all kinds of attacks, including commodity malware, he says. According to Carbon Black, the relatively easy availability of toolkits such as PowerSploit, PowerShell Empire, p0wnedShell have also made it simple for threat actors to co-opt PowerShell in cyberattacks.

The trend heightens the need for organizations to pay attention to things like setting standards for PowerShell usage, by, for instance, requiring only signed scripts to execute.

Organizations should also consider capturing and monitoring PowerShell executions and storing the log data centrally so an attacker cannot tamper with it. Administrators can then set up alerts on key indicators in the log data, Valdez says. Blocking PowerShell altogether is another option, though that might not always be possible, he says.

“Profile and understand how PowerShell is used in your environment, and watch for or block use that does not meet that profile,” Valdez says. “PowerShell pulling down scripts from the Internet, being invoked with specific parameters, or being launched by users or processes that are not typical in your environment can go a long way toward identifying and stopping these attacks.”

Related stories:

 

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GeethaR978
50%
50%
GeethaR978,
User Rank: Apprentice
4/16/2016 | 3:26:07 AM
informative
very informative. Helps to gain knowledge about new information and concepts.
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...