PowerShell is a widely used command-line tool and scripting language that system administrators use to automate tasks and manage systems. It is also a popular technique used by threat actors to launch attacks.
Why do threat actors prefer PowerShell?
Easier to deploy a fileless attack/infection which makes it harder to detect as it can execute commands, scripts and binaries directly in memory. Also, it can establish remote connectivity on nearly any Windows device.
How do threat actors leverage PowerShell?
Using a legitimate tool built into Windows, threat actors can evade detection from security products, a type of Living off the Land (LOTL) attack where threat actors use tools already present in the victims’ system to launch an attack, stay put and for lateral movement.
Threat actors abuse PowerShell to do their malevolent activities with ease as they do not have to download any additional malware onto the victims’ system.
Threat actors use PowerShell to not only stay stealth but also to modify files and data on the victims’ system, move laterally and gain additional access, extract sensitive data, and communicate with C2.
Preventing PowerShell Attacks
While it may not be possible to thwart a PowerShell attack completely, organizations can follow good practices to safeguard themselves. A few preventive tips are:
- Enforce least privilege access
- Restrict access and provide necessary privileges to only those who absolutely need it
- Group networks and provide access accordingly
- This will potentially reduce the attack surface by limiting lateral movement and restricting access to critical data
- Log PowerShell activity
- Monitor its logs to identify any intrusions
- Upgrade your devices to the latest version
- Patch your software and hardware against vulnerabilities and keep your devices updated
- Use a reputable security product such as K7 Security Products using Windows AMSI interface
- Windows Antimalware Scan Interface (AMSI) integration with your security product supports scanning of in-memory and dynamic file contents
- Threat Intelligence Data
- Glean information from your Threat Intel DB for PowerShell-based attacks so as to prevent future attacks before they can cause data breaches
It is essential to detect a PowerShell attack. For this, processes showing suspicious behaviour need to be identified and isolated, and the reason for the breach needs to be figured out. System administrators need to monitor user and network traffic and critical processes periodically to see if there are any signs of a breach.
PowerShell being a very important command line tool for Windows should not be entirely disabled. However, administrators can constructively use this for automating tasks, forensics and incident monitoring.
Organizations should be aware of the potential risks that PowerShell and any other Windows tool have and safeguard their devices and network from such LOTL attacks.
