BreachExchange mailing list archives
Power Shell is a powerful malware tool
From: inga () riskbasedsecurity com (Inga Goddijn)
Date: Wed, 13 Apr 2016 22:53:47 -0500
http://www.networkworld.com/article/3054786/security/power-shell-is-a-powerful-malware-tool.html PowerShell used as a tool in compound malware attacks is becoming more common, with 38% of all attacks seen by IT security vendor CarbonBlack and its partners involving the native Windows scripting language. Its use is so common in enterprises for legitimate purposes that most security devices and personnel donât regard it as a threat, says Ben Johnson, the chief security strategist at CarbonBlack. That makes it all the more effective as a component of attacks. Its scripts can run in memory only so it never creates a file on disk, Johnson says. âIt creates less noise on the system,â so itâs less likely to draw attention to itself, he adds. Itâs also relatively easy to write a script for, making it more productive for attackers to write a PowerShell script than to create compact binary code that would accomplish the same goal, he says. PowerShellâs versatility is a strength but is also a downside when itâs viewed as an attack tool. In that sense, âPowerShell is too powerful,â Johnson says. Thereâs no sure-fire way to stop this malicious use of PowerShell, but security pros can start by monitoring its use to discover how it is being used legitimately and by what applications. In most cases, for example, Microsoft Office applications donât spawn PowerShell as a process, so that use would be considered suspicious. If security pros log PowerShell activity and analyze it for anomalies then they can write rules to create alerts about known abnormal activity. They should also look at the command lines. Often legitimate scripts have lines such as âBenâs Cleanup Scriptâ that give an intuitive sense of its purpose. Attackers often use Base64 encoding on the command line, often incorporating the entire script in the line. âYouâll see it with crazy arguments that humans would never use,â he says. PowerShell is too powerful. Security pros should identify who has a need to use PowerShell and others should be restricted from using it. Admins legitimately use it to help with upgrades and patches, but HR staff and the CFOâs office probably donât need it, he says. Use of PowerShell can also be restricted to certain time windows to make it more difficult for attackers to sneak it by unnoticed. As it evolves, PowerShell is gaining security features, so upgrading to a newer version can help. For example, PowerShell 5.0 supports better logging, including for deobfuscated code so it is executed, according to ââPowerShellâ Deep Dive: A Unified Threat Research Reportâ <https://www.carbonblack.com/files/powershell-deep-dive-a-united-threat-research-report/> written by CarbonBlack. âNote that newer versions of PowerShell are not supported on older versions of Windows, so you may not be able to fully upgrade all systems,â the report notes. The report recommends setting standards for how PowerShell should be used: - Change ExecutionPolicy to only allow signed scripts to run. - Require all PowerShell scripts to be run from a specific location or path. - Discourage (or require exception for) the use of encoded parameters on the command line. - Discourage (or block) PowerShell scripts from downloading content from the Internet (or specify a âwhitelistâ of allowed IP addresses only). - Discourage (or block) the use of PowerShell to invoke commands on remote systems. - Require a custom parameter to be passed on all âlegitimateâ PowerShell usage. - Restrict PowerShell to specific users in your organization. - Require PowerShell to be launched from a specific process. A relatively new iteration of ransomware called PowerWare <http://www.networkworld.com/article/3048472/new-ransomware-abuses-windows-powershell-word-document-macros.html> is an example of PowerShell used maliciously. Distributed mainly via phishing attacks, PowerWare initiates as macros within emailed Word attachments. The macros launch an .exe file that starts up two PowerShell instances, one to download the ransomware script and the other to implement it. PowerShell gives the attacker freedom of movement within the compromised network. âYou become an employee of your target,â Johnson says. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160413/60e0d88a/attachment.html>
Current thread:
- Power Shell is a powerful malware tool Inga Goddijn (Apr 13)