Microsoft thought they were boosting the power of Windows scripting tools by adding PowerShell functionality. Back about ten years ago, they improved earlier scripting engines that weren’t really part and parcel to the Windows OS. Well, as is usual with computing innovations, as we move forward with technology we also make it easier for attackers too. And as PowerShell has grown and become open source and even cross-platform (Linux versions became available last year), it has also grown and become an important vector for malware authors too. It now comes bundled with Windows 7, 10 and the latest Windows Server OS versions.
PowerShell is based on the .Net universe that has been a part of Windows programming for a long time. It has its advantages because it can execute a variety of Windows commands and functions, some of them standalone executables and some that are just more advanced command-line operations that date back to the early DOS days. It is a powerful programming language with the typical if/then statements and conditional loops that most programmers take for granted.
Because of these features, malware authors can gain access to the Windows Management Interface, the Windows Registry, and execute commands directly from a PC’s memory. PowerShell scripts can also be installed as services that are automatically run at boot time. Numerous AV tools and application whitelisting programs typically ignore what happens with PowerShell scripts. All of this makes malware harder to detect and to screen, since malware authors can make their code look like ordinary Windows functions.
What makes things worse is that while Windows has protections in place that prevent malicious PowerShell scripts from launching, these protections are easily bypassed by attackers. (For example, Microsoft has a command line parameter called -execution policy bypass that does the trick.) This post on Varonis’ blog goes into more detail how to harden your environment to prevent some of these exploits from being used, including setting access control lists and software restriction policies. The trouble is that the more that you restrict PowerShell, the unhappier your IT department and other legit PowerShell users will become.
One important technique to help protect against PowerShell scripts is to enable system event logging, which can be used to review and then expose a malicious script’s actions.
As an illustration of this technique, take a look at this post from Mari DeGrazia’s Another Forensics Blog that walks you through a series of event log entries to show you how to find malicious scripts. She shows you how malware authors can encode their scripts to further hide them from view. Getting them decoded may take a series of steps, as the post describes. She recommends scanning the questionable scripts through sdbg.exe, shellcode2exe or other malware analysis tools.
Clearly, PowerShell exploits will continue to be a rich source of malware in the future. So, the time to start learning about its use and misuse is now.
To learn more about how to protect yourself against fileless malware and other advanced threats download the “iboss Advanced Malware Defense” data sheet.
David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 25 years. He has had several editorial management positions for both print and online properties and currently writes for Dice, Techtarget's SearchSecurity.com, ITworld.com and Network World. Find him on Twitter @dstrom and on his website strominator.com.