How do cyber pros prioritize their security efforts? A good place to start is knowing exactly what tactics, techniques and procedures (TTP) threat actors use. In a recently published report, aggregated data was used to identify the most common attack techniques as defined by the MITRE ATT&CK framework.
The study revealed that PowerShell Command & Scripting Interpreter was the number one attack technique used by threat actors. PowerShell is a command-line shell and scripting language that is widely used by system administrators and security professionals to automate tasks and manage systems. But threat actors can also use PowerShell to carry out malicious activities on compromised systems.
Top Attack Techniques
The report provides a strong representation of adversary activity from authoritative sources. It assembled data from M-Trends, Red Canary’s Threat Detection Report, CTID ATT&CK Sightings Ecosystem and CISA alerts ranging from 2020 to 2022.
At the top of the list of techniques was PowerShell. As per the report, adversaries that breach a system are likely to start up the PowerShell command line utility 28.49% of the time. Using this technique, actors can move laterally throughout a network and gain persistence on the compromised machine. Obfuscating files and exploiting public-facing applications were second and third on the list of top techniques used by attackers.
Palo Alto Networks Unit 42 recently reported that the ransomware gang Vice Society is deploying a new, sophisticated PowerShell script attack to automate data theft. Vice Society’s data exfiltrator uses “living off the land” binaries and scripts unlikely to trigger security alerts. This makes it easier for the actors to encrypt data and then demand a ransom.
How Do Attackers Use PowerShell?
PowerShell is both a command-line shell and a scripting language that can execute commands and scripts on a target system. Therefore, a PowerShell cyberattack is a type of command and scripting interpreter attack. In this type of attack, the hacker leverages a legitimate tool built into Windows.
A PowerShell cyberattack typically involves malicious actions such as:
- Command and Control (C2) Communication: Attackers use PowerShell commands to communicate with their C2 servers, download/execute malware and exfiltrate sensitive data.
- Credential Theft: PowerShell can be used to extract login credentials (such as passwords or tokens) from a compromised system.
- Lateral Movement: Attackers can use PowerShell to move laterally within a compromised network, gaining access to additional systems and resources.
- Fileless Malware: PowerShell can be used to execute fileless malware, which can be difficult to detect by traditional antivirus solutions.
- Data Manipulation: PowerShell can be used to modify or delete files, registry keys and other system settings. This can disrupt normal system operations and cause damage to the system.
Living Off the Land
A PowerShell cyberattack is considered to be a type of Living Off the Land (LOTL) attack. LOTL attacks refer to a technique used by attackers to evade detection by using legitimate tools and functionalities already present in the target system. LOTL techniques avoid using malware that can be detected by antivirus software.
PowerShell is a legitimate tool already present on most Windows systems. It has powerful features that attackers can abuse to carry out malicious activities. In this way, attackers do not have to download any additional malware onto the compromised system.
How to Thwart PowerShell Attacks
There are several methods to detect and prevent PowerShell cyberattacks:
- Restrict PowerShell Usage: Organizations can restrict PowerShell usage to only authorized users and scripts signed by trusted publishers.
- Implement PowerShell Logging and Monitoring: PowerShell generates detailed logs that can help detect suspicious activity. Organizations can enable PowerShell logging and monitor the logs for unusual activity, such as the execution of suspicious commands or scripts.
- Endpoint Detection and Response (EDR): EDR solutions monitor system activity and detect suspicious PowerShell activity, such as the execution of known malicious commands or scripts.
- Apply Software Updates and Patches: Software updates and patches can remediate many PowerShell vulnerabilities. Companies should ensure that all systems are up-to-date with the latest security patches and updates to fix known PowerShell vulnerabilities.
- Implement network segmentation: Network segmentation can limit the impact of a PowerShell attack by restricting the intruder’s ability to move laterally within the network and access sensitive systems and data.
- Threat intelligence: Threat intelligence can provide information on known PowerShell-based attacks and indicators of compromise (IOCs). This can be used to detect and block attacks before they can cause damage.
Behavioral Analysis vs. PowerShell Attacks
Behavioral analysis and anomaly detection can also be effective in detecting PowerShell-based attacks. These techniques focus on monitoring system behavior and detecting deviations from normal behavior patterns, which can indicate the presence of an intruder using PowerShell.
Behavioral analysis involves creating a baseline of normal system behavior and monitoring the system for any deviations from this baseline. This can involve monitoring user activity, network traffic and system processes to detect unusual behavior that may be indicative of an attack.
Anomaly detection involves using machine learning algorithms to detect unusual activity on the system. These algorithms can identify patterns in system activity and alert security teams to any deviations from these patterns. This can help detect PowerShell cyberattacks that involve unusual patterns of system activity.
Should PowerShell be Disabled?
Experts advise against disabling PowerShell as it is a useful command-line interface for Windows. PowerShell can help with forensics, incident response and automating desktop tasks, according to joint advice from the National Security Agency and CISA.
The U.S. Department of Defense also advises against removing PowerShell. As per the DoD, blocking the interface hinders the defensive capabilities that current versions of PowerShell can provide. Removing it also prevents components of Windows from running properly.
While PowerShell is a useful tool, it is also the number one technique attackers use to carry out LOTL attacks. Organizations should be aware of the risks associated with PowerShell and take steps to protect their systems against these types of attacks.