Brian Jackson - Fotolia

Windows PowerShell tied to more than a third of cyber attacks

Security firm Carbon Black confirms widespread abuse of Windows PowerShell by attackers flying under the radar in line with the trend of exploiting operating systems

Microsoft’s Windows PowerShell configuration management framework was used to launch 38% of cyber attacks seen by security firm Carbon Black and its partners in 2015, a report has revealed.

Security experts had warned that PowerShell had been fully weaponised in the past year – but Carbon Black’s first unified threat report quantifies the risk for the first time.  

The report is based on data from 1,100 cyber security incidents investigated by 28 firms managed service providers and incident response firms in the Carbon Black partner programme, including BTB Security, EY, Kroll, Optiv, Rapid7 and Red Canary.

More than two thirds of the firms taking part in the study said that they had encountered PowerShell exploits in the past year.

The increased use of PowerShell exploitation supports a growing industry trend of malware authors experimenting with ways of evading detection by exploiting operating system (OS) tools, the report said.

Attacks using PowerShell are very effective in remaining undetected, with 31% of Carbon Black partners reporting that PowerShell-related incidents had triggered no security alerts, indicating that attackers are succeeding in using PowerShell to enter and remain undetected in a company’s system.

Most PowerShell attacks took the form of basic or opportunistic threats, using commodity malware attacks such as click-fraud, fake antivirus and ransomware, while 13% of the attacks involving PowerShell appeared to be targeted or "advanced”.

Read more about cyber attack tools

Common malware types and delivery

The three most common types of malware present during PowerShell attacks are VAWTRAK (53% of attacks investigated), Poweliks (47%) and CRIGENT or Power Worm (42%).

Social engineering remains the favoured technique for delivering PowerShell-based attacks, according to Carbon Black partners.

“PowerShell is a very powerful tool that offers tremendous benefit for querying systems and executing commands, including on remote machines,” said Ben Johnson, Carbon Black’s chief security strategist and cofounder.

“However, more recently we’re seeing bad guys exploiting it for malicious purposes because it flies under the radar of traditional endpoint security products.

“PowerShell gives the bad guys a lot of power because it’s part of the native Windows operating system, which makes it difficult for security teams. On the other hand, PowerShell helps IT guys automate various tasks. The two departments need to come together and strike a balance between IT automation and security,” he said.

Read more about ransomware

In March 2016, the Carbon Black Threat Research Team issued an advisory on a variant of ransomware, dubbed PowerWare, that targets organisations through Microsoft Word and PowerShell.

The researchers found that, by using PowerShell to retrieve and execute the malicious code, the PowerWare ransomware can avoid writing new files to disk and blend in with legitimate activity, making it much more difficult to detect.

Microsoft bolsters Windows 10

At RSA Conference 2016 in San Francisco, security expert and SANS Institute instructor Ed Skoudis warned that the PowerShell Empire open source security tool is as much use to attackers as it is to defenders.

The goal of Powershell Empire is to show what attackers can do with the full force of PowerShell, but it includes a “powerful agent” with a wide variety of features that attackers can use to exploit PowerShell, which has been built into every version of Windows for the past eight years, said Skoudis.

In light of the fact that PowerShell has been fully weaponised, Skoudis said defenders should not rely on its limited execution policy.

Although PowerShell is designed to restrict the scripts that users can write to prevent accidental damage, Skoudis said this is not a security feature because any script can be used to turn off the default restricted execution policy to allow any script to be executed.

Microsoft has responded to the weaponisation of PowerShell by adding features to PowerShell 5 in Windows 10 to reduce exploitation of PowerShell by attackers.

PowerShell 5 will log all items passed down the pipeline and will log what is happening inside the script blocks and, for Windows 10, it has integration with antimalware, so whatever antimalware is in place, PowerShell can make calls to the antimalware before executing a script,” said Skoudis.

“PowerShell 5 also has something called ‘constrained mode’ which integrates PowerShell with AppLocker, almost giving whitelisting for PowerShell scripts, but even with this stuff coming up in Windows 10 and PowerShell 5, attackers still have three to five years left of unfettered PowerShell access.”

Read more on Hackers and cybercrime prevention