How to protect your network from PowerShell exploits

PowerShell is a powerful and versatile tool for both Windows sysadmins and hackers, who use it to build malicious scripts that avoid detection. This advice will make it harder for them to do so.

Hikers living off the land make use of existing nutrients and water sources to survive in the wilderness. In hacker parlance, the term “survive in the wilderness” means they cover their tracks and make use of tools and code that already exist on targeted endpoints. This hides their exploits by making them look like common administrative tasks so that detection tools can’t easily find them. Welcome to the world of PowerShell-based attacks.

PowerShell has deep roots in the DOS command line that came with the first IBM PCs back in the 1980s and the .NET universe. It is now the default command shell that is packaged in the current Windows 10 version. PowerShell has been around for more than a decade in one form or another. It comes bundled with Windows since version 7, and now has Linux versions as well. That widespread use can only encourage hackers to abuse it in the future.

PowerShell has become increasingly sophisticated, and a primer on essential PowerShell security scripts is well worth reviewing to learn how you can use that language to improve your defenses and be more productive in administering Windows computers. This article shows you how attackers can leverage this language for their own evil purposes. 

PowerShell is versatile, but dangerous

PowerShell has a lot of versatility, since it can execute a variety of commands that can directly examine and change particular Windows resources such as Registry objects, environment variables, the Windows Management Interface, and programs stored in memory. You can use it to administer Exchange functions and other Windows server tasks. It can install scripts that execute at boot time, which makes them attractive for hackers that want the scripts to persist.

Sadly, many antivirus (AV) tools typically have ignored PowerShell scripts, but that is changing as more malware is leveraging their use. A recent report by Symantec found that more than 95 percent of all scripts analyzed by its sandbox tool were malicious and more than half executed from command line parameters. For a file to get Symantec’s attention, it had to be a bit wonky to begin with, but still the numbers are sobering. The scripts causing alarm included Office macros, malicious JavaScript code, fileless injection attacks, and ways to hide suspicious downloads or URLs in phishing emails.

One of the challenges about PowerShell is that it is found in so many different legitimate Windows routines and launched and packaged in so many ways. You can’t just block it universally across your enterprise without preventing users from getting actual work done. 

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!