




















PowerShell is one of the most important, versatile software tools used in IT automation. Unfortunately, it has also become a powerful instrument for cybercriminals, and a major threat to endpoint security.
In recent years, PowerShell has been used to successfully execute intrusion campaigns around the world. If left unchecked, PowerShell represents a significant threat to enterprises of all sizes. But with some knowledge and understanding of PowerShell security best practices, the risk can be significantly reduced.
PowerShell is a software program built into the Microsoft Windows operating system, though it can also be optionally installed on Mac and Linux systems. It is used by IT professionals to conduct many types of system administration tasks on computer systems in business environments.
Think of PowerShell like an adjustable wrench — it can help turn the crank on any number of software and configuration tasks on enterprise endpoints. It can help with system and activity monitoring; software updates and reboots; user, identity, and access management; system configurations, including security policy and enforcement; and data collection for troubleshooting, reporting, and compliance.
Many of the above tasks can be complex, require a very specific level of detail, or must be executed remotely or on an ongoing basis. With support for custom scripting and automation, PowerShell can be adapted to execute a wide variety of IT systems management use cases, with relative ease.
PowerShell’s ubiquitous position on Windows-based endpoints and its wide-ranging capabilities make it a powerful tool for IT and security administrators alike. Unfortunately, it can be an equally powerful tool in the hands of an attacker.
History has shown that an attacker can employ PowerShell as a helpful tool at nearly any point in the lifecycle of a cyber attack. Here are several examples of how PowerShell facilitates threat actors:
Most cyber attacks begin with some kind of technical and/or human exploit, often conveyed via a malicious file or link in an email. Once the link is clicked or the file is opened, the attacker must ensure an initial foothold is gained, ideally without the victim user ever realizing it.
That’s where PowerShell comes in. Malicious files or links frequently contain a script — a prewritten set of commands — that is secretly executed using PowerShell. One of the most common tactics is for an attacker to use PowerShell to invoke fileless malware, downloaded and executed without ever saving a malicious file to disk. This approach is not only often missed by traditional security controls but is also unnoticeable to the user.
Many multistage cyber attacks require a perpetrator to elevate user privileges on the initial target system, a critical step that enables follow-on actions. PowerShell is the perfect tool for malicious privilege escalation. Because it is a direct conduit to Windows system components, such as the .NET Framework and Active Directory, an attacker can often use PowerShell to execute numerous privilege escalation techniques, such as identify and abuse misconfigurations, DLL hijacking, and User Account Control bypass, among others.
Once an attacker has the necessary access, the next step is to foster connections with other digital locations of value. This is referred to as lateral movement. Once again, PowerShell fits the bill. An attacker can use it to run reconnaissance commands, identify targets, and take action on those targets by transferring hacking tools, executing malware, or even opening PowerShell sessions to spread even further.
A multistage attack will get shut down fast if the adversary doesn’t stay hidden. PowerShell provides ways for an attacker to cloak malicious activity. PowerShell is almost always used when an attacker wishes to employ hard-to-detect fileless malware; it can download and run files in memory, where they can be quickly disposed of with little evidence after the fact. Malicious PowerShell commands can be automated to run at times when they are less likely to be noticed or bundled within established trusted processes. And, while PowerShell does have logs, savvy adversaries can delete or manipulate those logs to cover their tracks.
When an attacker identifies valuable data and is ready to steal it, PowerShell serves as a one-stop-shop for data exfiltration services. It can identify wanted data based on various attributes, compress and break up data into hard-to-spot fragments, encrypt data so that the contents of outbound network traffic flows can’t be easily examined, and facilitate the actual exfiltration via any number of pathways, including HTTPS, DNS, FTP, cloud storage, or email (SMTP).
The techniques outlined above aren’t new. Unfortunately, attackers have used them successfully for quite some time.
In late 2020, a software compromise was discovered in the SolarWinds Orion IT systems management product, used by thousands of organizations globally. A flaw in the software enabled attackers to use Orion as a conduit to launch malware and remotely execute a variety of malicious actions against approximately 18,000 SolarWinds’ customers, becoming one of the most high-profile and costly cyberattack campaigns in history.
The attackers employed PowerShell in multiple phases of the attack. After obtaining a list of users and roles, they used PowerShell commands to discover the privileged domain accounts that would enable them to expand their permissions for follow-on actions. Later, they used PowerShell on target customer machines to execute a variety of commands remotely, including data exfiltration.
A series of global attacks beginning in 2017 utilized a type of self-propagating malware, which came to be called NotPetya. While the malware initially appeared to resemble the well-known Petya ransomware, it earned its modified name because its main purpose wasn’t to extort ransoms, but rather to simply destroy data and related IT assets on compromised systems.
PowerShell proved useful in a number of ways. Even though NotPetya spread itself, once it landed on a new target system, it would use PowerShell to gather system information, including credentials, download malware, and execute precursor commands needed to set the stage for data and drive corruption.
Emotet is a remote access trojan (RAT) most commonly used in multistage phishing attacks. It became prominent during a series of malware campaigns that peaked from 2018-2021 but continue to this day. The phishing messages tricked victims into opening a malicious Microsoft Word or Excel document, which in turn downloaded a variety of malicious files enabling follow-on actions, often including ransomware.
Once again, PowerShell played a prominent role. Once the user opened the infected file, it would trigger obfuscated PowerShell scripts. Those scripts would create a remote connection to download and run in-memory malware, often avoiding detection.
It’s clear that PowerShell represents a considerable cybersecurity risk: it can facilitate many different types of attacks and do so in a way that can be challenging to detect. So, it’s important for organizations to implement PowerShell security controls to gain visibility into how PowerShell is used, prevent malicious PowerShell commands, and detect PowerShell actions that require further review.
If only it were that easy. For most organizations, PowerShell security is surprisingly challenging. Here are just a few of the reasons why:
Despite PowerShell’s long-standing role as an enabler of cyber attacks, many organizations are unaware of the critical role it plays. Because the step-by-step details of how specific cyber attacks work can be quite technical, effectively conveying that need for PowerShell security to business leaders can be quite challenging. Even many IT and cybersecurity leaders are often unaware of or underplay its importance.
PowerShell is essentially built into Windows and is often an essential system administration tool. It is the vehicle through which administrators can view and make configuration adjustments to areas deep within Windows, including the registry, system processes, and Windows application and file systems. Simply turning it off is almost impossible: there are no viable alternatives for some PowerShell functions.
In 2018, Microsoft released a major revamp of PowerShell, based on the Microsoft .NET Core software development framework. This enabled PowerShell versions 6.0 and later to take advantage of modern security features built into Windows. However, earlier, less secure versions of PowerShell are often installed by default, even on current Windows versions, granting attackers an opportunity to leverage it in attacks.
PowerShell has been the target of black hat researchers who discover “zero-day” or unknown vulnerabilities in PowerShell, exploiting them in ways for which there is little or no way to defend. Similarly, attackers can use PowerShell to exploit zero-day vulnerabilities in Windows itself, which may also be hard to detect or prevent.
The standard initial configurations for PowerShell are widely considered to be too permissive. For example, even when execution restriction policies are put in place, attackers can usually bypass them, simply by running a PowerShell command to do so. Also, PowerShell scripts do not require any sort of digital signing for validation, as other Windows functions often do, meaning malicious or unauthorized scripts can be run unless explicit policy controls are in place to prevent it.
Organizations that monitor PowerShell without implementing specific security controls may not be doing enough. Attackers can utilize PowerShell to not only download in-memory fileless malware that doesn’t leave a trace, but they can also alter or erase PowerShell’s logs, making it difficult to determine if PowerShell was used maliciously after the fact.
Fortunately, despite the security challenges it presents, PowerShell security measures can be put in place to significantly decrease the risk it presents to organizations. Some of the most common ones are summarized below.
One of the most comprehensive built-in PowerShell security controls is called constrained language mode. This limits PowerShell to a safe subset of commands, and blocks operations commonly used by attackers. It is often used as a default setting for standard (non-administrator) Windows users.
PowerShell includes an execution limitation policy option that can provide a control regarding how PowerShell loads configuration files and runs scripts. As noted, one of attackers’ favorite techniques is to create a malicious PowerShell script, and trick users into running it. Administrators can enable this control in Windows Group Policy on a per-user and per-host basis.
Newer versions of Windows include application control technologies that can be used to implement system-wide security controls on applications, including PowerShell. It’s considered to be a broadly effective mechanism to prevent arbitrary code execution using PowerShell. In Windows 10, the preferred mechanism is called App Control.
It’s common for organizations to overlook or ignore enabling PowerShell logging. But logging is critical to audit PowerShell activity, particularly should a malicious or anomalous event take place. Organizations can enable different types of PowerShell logging, including module logging and script block (executable script segment) logging, via both Windows and Group Policy settings.
There are a number of other notable PowerShell security best practices that may be appropriate for specific organizations or use cases. Organizations should consult with Microsoft and review Microsoft PowerShell documentation to determine if these additional measures are appropriate.
Organizations need state-of-the-art endpoint security technology that is not only made by experts who understand these challenges, but also deliver proven capabilities to detect and prevent PowerShell attacks.
Arctic Wolf Aurora™ Endpoint Defense, which includes Aurora Protect, delivers market-leading AI-driven prevention, detection, and response, stopping threats before they disrupt your business.
Aurora Endpoint Defense provides a number of built-in PowerShell security capabilities, including PowerShell activity monitoring, control of script execution, and integration with endpoint application controls.
Designed to be easy to use and highly effective, whether on its own or with 24×7 monitoring, Arctic Wolf’s endpoint security offerings provide flexible deployment options so you can strengthen your defenses and ultimately, protect your organization from costly breaches.
See Aurora Endpoint Defense in action, and learn more about Arctic Wolf’s breadth of Managed Endpoint Defense options as well.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。