For years, organizations and IT professionals have turned to Microsoft’s PowerShell for its efficiency and ease of use. It provides a well-integrated command-line experience for the operating system, and a simple way to manipulate server and workstation components. PowerShell is often treated as more secure than running most other scripting languages, and sometimes even treated as a ‘trusted’ application by security software and administrators.
Unfortunately, it has become increasingly common for cybercriminals to leverage PowerShell as a springboard into your organization and beyond. This abuse of legitimate tools like PowerShell is not new but is on the rise as cybercriminals find new ways to use the tools combined with other tactics and techniques.
How is PowerShell used maliciously?
There are many attack types that frequently use scripting languages to carry out assaults on the endpoints. Two of the most common types, Living off the Land attacks and malware, often use suspicious PowerShell and cmd.exe scripts.
These scripting languages offer many easily implemented ways to obfuscate data, making automated analysis difficult. Many scripting attacks are constructed in a fragmented fashion such that each script is not malicious in itself - giving the perception that it may be ‘safe’. Determining whether or not the fragmented attack is malicious requires evaluating many elements in the attack flow and subsequently building an understanding of them so that patterns and markers can be established.
For more information on easing system administration tasks, while expanding the attack surface for cybercriminals, check out our Threat Insight report.