Ever since its initial introduction, cybercriminals have been using PowerShell for malicious purposes. More recently, however, malicious use of the tool has been increasing steadily.
As such, it’s important to make sure that you’re adhering to established best practices that can help to keep this scripting tool in your organization securely.
In this article, I’ll explain how cybercriminals can maliciously use this scripting tool to harm your company, and what you can do to prevent such attacks.
Let’s start with why PowerShell is such a popular tool among these cybercriminals.
Why Do Cybercriminals Like PowerShell?
As previously noted, PowerShell is a popular tool among attackers. But why is this the case?
Well, for starters, the tool is tightly integrated into the Windows operating system. This means that it exists on nearly every Windows system that an attacker may want to target. Microsoft has also created cross-platform versions of PowerShell that can function on Linux and macOS.
Another reason cybercriminals love to use PowerShell is that it’s possible to manage every component of the Windows operating system through it. This means that cmdlets exist for interacting with virtually any part of the operating system. Before this tool, an attacker would often have to come up with creative ways to interact remotely with various parts of an operating system.
In addition, because PowerShell is a part of Windows, it’s relatively easy for an attacker to evade detection. Unlike a traditional malware attack, the attacker doesn’t necessarily need to install malicious code onto the target machine. This makes it much more difficult for security software to detect a PowerShell–based attack.
Those are just a couple of reasons why cybercriminals love to use this tool. Let’s now look at how it’s normally used in an attack.
How PowerShell is Normally Used in an Attack
Cybercriminals can easily leverage this tool for their benefit. For instance, because PowerShell supports remote administration, an attacker may use it to establish a remote session with a victim’s computer. However, in order to perform this type of attack, the attacker must have a set of credentials used to log on to the target system.
Another way that attackers can use the tool is by simply creating malicious scripts. An unsuspecting administrator may try to download a PowerShell-based tool from the Internet, only to discover after running it that the script has done something to harm their system.
Additionally, cybercriminals can also use the scripting tool in a fileless malware attack. This is similar to a remote administration attack, except that the attacker uses the remote session to instruct the victim’s computer to download and install malicious software.
More recently, however, cybercriminals have found a new way to use PowerShell, which I’ll go over next.
Recent Malicious PowerShell Use
Although the previously described attacks have historically made up the bulk of malicious PowerShell uses, countless variations of those techniques exist. More recently, attackers have come up with another way to use the tool for malicious purposes.
A new type of malware called ChromeLoader seeks to generate ad revenue for cybercriminals by manipulating the victim’s browser. While browser manipulation is nothing new, this method used by ChromeLoader is unique.
Like other types of malware, the attack begins with the victim downloading a malicious file (typically an ISO file posing as pirated software). When the victim attempts to install the software contained within this ISO file, the installer instructs PowerShell to install the ChromeLoader browser plugin. A covert Windows Task Scheduler job can periodically check to see if you’ve removed ChromeLoader and will reinstall it if necessary.
In this particular exploit, PowerShell isn’t used as a point of entry, but is instead used to silently download and install the browser plugin. This means that attackers don’t have to worry about tricking you into installing an unwanted plugin.
Even though cybercriminals have found a variety of creative ways to use the tool for nefarious purposes, you have several things that you can do to keep your system safe. Let’s get into those now.
What You Can Do to Prevent a PowerShell-Based Attack
You have several security best practices that you can use to lessen the chances of a PowerShell-based attack. In this section, I’ll go over 5 of them. That said, let’s get started with things you can do to prevent such an attack.
1. Make Sure to Keep PowerShell up to Date
Microsoft adds new features and capabilities to each new version. As such, one of the most important things that you can do is to stay up to date with the latest PowerShell version. To find which version you’re using, just open PowerShell and enter the Host command.
It’s worth noting that the version you get with Windows isn’t the most recent. You can download the latest PowerShell release here.
2. Enable PowerShell Logging
Another best practice for keeping PowerShell secure is to enable logging. You can do this in several ways, but one of the most effective methods involves transcription. Enable transcription through the Start-Transcript cmdlet.
3. Use Just Enough Administration
Just Enough Administration is a Windows Server security feature that ensures that administrators have only the permissions that they need in order to complete the task at hand. Implementing Just Enough Administration can make it far more difficult for an attacker to wreak havoc over your environment using a PowerShell script.
4. Run Anti-malware Software
Even though PowerShell-based attacks differ from traditional malware-based attacks, it remains critically important to run anti-malware software on all of your network endpoints. For one thing, the tool doesn’t eliminate the chances of a normal malware attack, thereby necessitating the need for anti-malware software. However, some attacks can mimic malware and may get detected by an anti-malware software’s heuristic capabilities.
5. Practice the Principles of Zero Trust
The idea behind zero trust is that nobody should have access to anything that isn’t absolutely required in order for them to do their job. Additionally, you must verify both user and device identities any time resources get accessed. Putting zero trust principles to work can lessen the chances of a successful attack.
And there you go, those are 5 best practices you can implement in your organization to reduce the likelihood of falling victim to a PowerShell-based attack. Let’s recap.
The Bottom Line
PowerShell is a powerful cross–platform management tool with deep operating system integration. This makes it attractive to cybercriminals. The best way that you can protect yourself against malicious use is to adhere to all of the standard best practices for Windows security.
One thing you should do is continuously keep PowerShell updated with the latest version. You can also enable logging and run anti-malware software to reduce the chances of falling victim to a targeted attack. Also, you can use the Just Enough Administration feature and implement zero trust principles in your organization. All these best practices are highly recommended, so start applying them ASAP! Until next time, stay tuned for more tech articles coming your way.
Do you have any more questions on PowerShell and relevant attacks? Check out the FAQ and Resources sections below!
FAQ
Can execution policies help prevent a PowerShell-based attack?
Execution policies can help prevent the execution of certain scripts. However, execution policies exist more as an administrative safeguard rather than a true security tool. An attacker who gains the proper permissions can circumvent these execution policies.
Can you mitigate a threat by uninstalling PowerShell?
You can uninstall PowerShell from Windows client operating systems such as Windows 10. However, uninstalling PowerShell from Windows Server isn’t an option. That being the case, it’s better to focus on keeping your environment secure than to try to remove the scripting tool.
Are there any risks associated with removing PowerShell from Windows desktops?
Even though your users probably aren’t using PowerShell, you can bet that some of your management tools are. Microsoft’s System Center products, for example, often run commands behind the scenes when performing management tasks. Overall, uninstalling the tool may limit your ability to manage Windows desktops.
What do cyber security experts recommend in regards to disabling PowerShell?
In June of 2022, national cybersecurity agencies in the US, the UK, and New Zealand released a joint statement. This statement indicated that these agencies recommend making sure that you adhere to configuration and monitoring best practices for PowerShell as opposed to trying to remove it.
Does the PowerShell version play a role in overall security?
It’s important from a security perspective to make sure that you’re running the latest version of the scripting tool. Microsoft routinely adds new features as new versions get released. Version 4, for example, introduced the Over the Shoulder Transcription feature. Similarly, version 7 gave us SSH remoting capabilities.
Resources
TechGenix: Article on PowerShell and Malware
Learn how the scripting tool was used by malware in the past.
TechGenix: Article on Malicious PowerShell Scripts
Read more on how malicious PowerShell scripts evade detection.
TechGenix: Article on PowerShell Script Obfuscation
Find out how attackers use obfuscation to mask malicious PowerShell scripts.
Trend Micro: Article on Defending against PowerShell-Based Malware
Discover more about tracking, detecting, and thwarting PowerShell-based attacks.
Blumira: Article on PowerShell Malicious Activity
Read more on malicious PowerShell activity.
Rapid7 Blog: Article on Preventing and Detecting Malicious PowerShell Attacks
Read more on how to detect PowerShell-based attacks.
