Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/15/2016
03:14 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

PowerShell Increasingly Being Used To Hide Malicious Activity

Data from 1,100 security investigations shows PowerShell was used in 38 percent of cyberattacks

Threat actors often try to take advantage of native tools in operating systems to conceal malicious activities.

One tool that appears to be a particular favorite in this regard is the PowerShell command shell and scripting language that Microsoft has included with its Windows operating system since 2009.

Security firm Carbon Black recently analyzed data from 1,100 investigations conducted by more than two-dozen of its partners in 2015 to see how extensively PowerShell is being exploited in cyber attacks.

The data showed that in 38 percent of the investigated incidents, PowerShell was a part of the attack.  Some 31 percent of the victim organizations said they had no idea that PowerShell had been exploited and discovered that fact only after calling in someone to investigate security incidents.

The most common malicious activity carried out via PowerShell was command and control communications. The data also showed that threat actors, trying to move laterally across a network after breaking into it first, often used PowerShell to conceal their movement. Credential theft and privilege escalation were some of the other common malicious activities enabled via PowerShell.

More than 85 percent of the attacks leveraging PowerShell were what Carbon Black described as commodity attacks such as clickfraud, ransomware, fake antivirus and other opportunistic threats. Many of these attacks appeared focused on stealing customer and financial data, and intellectual property, or on disrupting services. About 13 percent of the attacks appeared targeted, according to Carbon Black.

PowerShell is commonly used to automate repetitive tasks and for system administration purposes. Administrators for instance often use it to access remote systems in order to query them and for executing commands on them.

What makes it an appealing target for compromise is the opportunity it gives attackers to hide malicious activity, Carbon Black said in its report. PowerShell is a ubiquitous part of the Windows environment and is used more for legitimate purposes than not. Therefore it serves as a perfect foil for threat actors to hide their activities, the Carbon Black report noted.

“Its ability to dynamically load and execute code without touching the file system makes it especially difficult to secure,” the company warned.

As is common with many multi-stage attacks these days, PowerShell compromises usual begin via a separate initial compromise enabled through a phishing email or some other social engineering tactic. In a typical attack, a victim might receive a specially crafted Microsoft Office document as an email attachment or as a download via a link in the email. Opening the document usually results in the user being prompted to disable their macro security.

“Many enterprises make extensive use of macros in spreadsheets and Word documents,” says Rico Valdez, senior threat researcher at Carbon Black in comments to Dark Reading. So a target might already be accustomed to disabling macros security to enable enhanced functionality in their docs, he said. “A well-crafted phish in which the target believes the document is coming from a trusted source might have the target believe the macros are legitimate.”

Enterprises need to be cognizant of the risks around PowerShell, Valdez says. What used to be considered a more sophisticated technique until relatively recently has entered the mainstream and is being used in all kinds of attacks, including commodity malware, he says. According to Carbon Black, the relatively easy availability of toolkits such as PowerSploit, PowerShell Empire, p0wnedShell have also made it simple for threat actors to co-opt PowerShell in cyberattacks.

The trend heightens the need for organizations to pay attention to things like setting standards for PowerShell usage, by, for instance, requiring only signed scripts to execute.

Organizations should also consider capturing and monitoring PowerShell executions and storing the log data centrally so an attacker cannot tamper with it. Administrators can then set up alerts on key indicators in the log data, Valdez says. Blocking PowerShell altogether is another option, though that might not always be possible, he says.

“Profile and understand how PowerShell is used in your environment, and watch for or block use that does not meet that profile,” Valdez says. “PowerShell pulling down scripts from the Internet, being invoked with specific parameters, or being launched by users or processes that are not typical in your environment can go a long way toward identifying and stopping these attacks.”

Related stories:

 

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
GeethaR978
50%
50%
GeethaR978,
User Rank: Apprentice
4/16/2016 | 3:26:07 AM
informative
very informative. Helps to gain knowledge about new information and concepts.
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14230
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.7 for WordPress. One could exploit the id parameter in the set_count ajax nopriv handler due to there being no sanitization prior to use in a SQL query in saveQuestionVote. This allows an unauthenticated/unprivileged user ...
CVE-2019-14231
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.2 for WordPress. One could exploit the points parameter in the ob_get_results ajax nopriv handler due to there being no sanitization prior to use in a SQL query in getResultByPointsTrivia. This allows an unauthenticated/un...
CVE-2019-14207
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.11. The application could crash when calling the clone function due to an endless loop resulting from confusing relationships between a child and parent object (caused by an append error).
CVE-2019-14208
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to a NULL pointer dereference and crash when getting a PDF object from a document, or parsing a certain portfolio that contains a null dictionary.
CVE-2019-14209
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to Heap Corruption due to data desynchrony when adding AcroForm.