Power Shell is a powerful malware tool

CarbonBlack: Use of the scripting language in malware is on the rise

PowerShell used as a tool in compound malware attacks is becoming more common, with 38% of all attacks seen by IT security vendor CarbonBlack and its partners involving the native Windows scripting language.

ben johnson

Ben Johnson

Its use is so common in enterprises for legitimate purposes that most security devices and personnel don’t regard it as a threat, says Ben Johnson, the chief security strategist at CarbonBlack.

That makes it all the more effective as a component of attacks. Its scripts can run in memory only so it never creates a file on disk, Johnson says. “It creates less noise on the system,” so it’s less likely to draw attention to itself, he adds.

+ MORE: 5 Things You Need to Know About Ransomware +

It’s also relatively easy to write a script for, making it more productive for attackers to write a PowerShell script than to create compact binary code that would accomplish the same goal, he says.

PowerShell’s versatility is a strength but is also a downside when it’s viewed as an attack tool. In that sense, “PowerShell is too powerful,” Johnson says.

There’s no sure-fire way to stop this malicious use of PowerShell, but security pros can start by monitoring its use to discover how it is being used legitimately and by what applications. In most cases, for example, Microsoft Office applications don’t spawn PowerShell as a process, so that use would be considered suspicious.

If security pros log PowerShell activity and analyze it for anomalies then they can write rules to create alerts about known abnormal activity.

They should also look at the command lines. Often legitimate scripts have lines such as “Ben’s Cleanup Script” that give an intuitive sense of its purpose. Attackers often use Base64 encoding on the command line, often incorporating the entire script in the line. “You’ll see it with crazy arguments that humans would never use,” he says.

Ben Johnson, chief security strategist at CarbonBlack

Security pros should identify who has a need to use PowerShell and others should be restricted from using it. Admins legitimately use it to help with upgrades and patches, but HR staff and the CFO’s office probably don’t need it, he says. Use of PowerShell can also be restricted to certain time windows to make it more difficult for attackers to sneak it by unnoticed.

As it evolves, PowerShell is gaining security features, so upgrading to a newer version can help. For example, PowerShell 5.0 supports better logging, including for deobfuscated code so it is executed, according to “’PowerShell’ Deep Dive: A Unified Threat Research Report” written by CarbonBlack. “Note that newer versions of PowerShell are not supported on older versions of Windows, so you may not be able to fully upgrade all systems,” the report notes.

The report recommends setting standards for how PowerShell should be used:

  • Change ExecutionPolicy to only allow signed scripts to run.
  • Require all PowerShell scripts to be run from a specific location or path.
  • Discourage (or require exception for) the use of encoded parameters on the command line.
  • Discourage (or block) PowerShell scripts from downloading content from the Internet (or specify a “whitelist” of allowed IP addresses only).
  • Discourage (or block) the use of PowerShell to invoke commands on remote systems.
  • Require a custom parameter to be passed on all “legitimate” PowerShell usage.
  • Restrict PowerShell to specific users in your organization.
  • Require PowerShell to be launched from a specific process.

A relatively new iteration of ransomware called PowerWare is an example of PowerShell used maliciously. Distributed mainly via phishing attacks, PowerWare initiates as macros within emailed Word attachments. The macros launch an .exe file that starts up two PowerShell instances, one to download the ransomware script and the other to implement it.

PowerShell gives the attacker freedom of movement within the compromised network. “You become an employee of your target,” Johnson says.

Join the CSO newsletter!

Error: Please check your email address.

Tags Windows 10

More about Base64Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place