Sapsiwai - Fotolia

RSAC16: Microsoft’s Windows PowerShell fully weaponised, security expert warns

Security expert Ed Skoudis says the PowerShell Empire open-source security tool is as much use to attackers as it is to defenders

Microsoft’s Windows PowerShell configuration management framework has been fully weaponised in the past year, warns security expert and SANS Institute instructor Ed Skoudis.

“In the past year, there has been the release of a project called PowerShell Empire. It is awesome. If you do pen testing or red teaming or even vulnerability assessment, I urge you to download PowerShell Empire and check it out,” he told RSA Conference 2016 in San Francisco.

Ironically, this open-source security tool, which is available for free download, is as much use to attackers as it is to defenders, said Skoudis, who described it as a “watershed tool in attacking Windows environments” and a “post-exploitation language” that is “built and optimised for attack”.

The goal of Powershell Empire is to show what attackers can do with the full force of PowerShell, but it includes a “powerful agent” with a wide variety of features that attackers can use to exploit PowerShell, which has been built into every version of Windows for the past eight years, said Skoudis.

“The agent allows for remote control, it enables users to configure how and when it phones back to you, and it has great integration with operations, so that you can say when you want to delete actions and you can set times of the day when you want the agent to be active or not,” he said.

The PowerShell Empire agent uses PowerShell to get loaded into memory without touching the disk, said Skoudis, making it far less likely to be detected by antivirus and other security controls.

Privilege escalation

The agent also includes privilege escalation capabilities to enable users to acquire full system privileges and persistence mechanisms with and without escalated system privilege to help maintain access to a system that has been compromised.

“This is tool that is really convenient and flexible for computer attackers,” said Skoudis, referring to PowerShell Empire’s functionality to enable users to label sessions, making it much easier to integrate into attacker operations because all compromised sessions are easy to identify using descriptive labels.

In light of the fact that PowerShell has been fully weaponised, Skoudis said defenders should not rely on its limited execution policy.

Read more about cyber attack tools

Although PowerShell is designed to restrict the scripts that users can write to prevent accidental damage, Skoudis said this is not a security feature because any script can be used to turn off the default restricted execution policy to allow any script to be executed.

Microsoft has responded to the weaponisation of PowerShell by adding features to PowerShell 5 in Windows 10 to reduce exploitation of PowerShell by attackers.

“PowerShell 5 will log all items passed down the pipeline and will log what is happening inside the script blocks, and for Windows 10, it has integration with antimalware, so whatever antimalware is in place, PowerShell can make calls to the antimalware before executing a script,” said Skoudis.

Constrained mode

“PowerShell 5 also has something called ‘constrained mode’ which integrates PowerShell with AppLocker, almost giving whitelisting for PowerShell scripts, but even with this stuff coming up in Windows 10 and PowerShell 5, attackers still have three to five years left of unfettered PowerShell access.”

Things are moving in the right direction, he said, but until they can be deployed fully, there will still be attacks using PowerShell and that is something defenders should be aware of and should plan for as part of their information security strategy.

Skoudis and some colleagues from SANS Institute highlighted other challenges they expect information security professionals to face in the coming year, including:

  • The trend of broadening attacks to extend beyond targeting personally identifiable information to include other information, such as contact lists.
  • The trend of attackers taking advantage of poor patching practices in Android to exploit system-level vulnerabilities such as the Stagefright flaw in a core library file of the operating system.
  • The trend of attackers creating vulnerabilties in developer environments such as Xcode Ghost, which created and distributed a version Apple’s Xcode development environment with backdoors.
  • The trend of attackers exploiting vulnerabilities in industrial control systems to cause power failures as seen in Ukraine on 23 December 2015.
  • The trend of targeting insecure third-party software components used by in-house and commercial software developers.
  • The trend of attackers probing the vulnerabilities of the internet of things (IoT) to seek profitable ways of taking advantage of embedded devices.
  • The rapidly increasing trend of encrypting organisations’ data using malware known as ransomware and demanding a ransom be paid in return for the decryption keys.

Read more on Hackers and cybercrime prevention