PowerShell was created with the intention of helping system administrators automate tasks and maintain configurations. However, it didn’t take long for attackers to learn that it could be used to carry out offensive activities covertly.
Because of PowerShell’s adaptability, it may be observed in all phases of attacks, from initial infection vectors; used in macros of infected documents; to being used in post-exploitation to dump credentials utilising the infamous mimikatz PowerShell module.
We’ll look at a few situations where PowerShell is used maliciously, how it’s done, and the difficulties in spotting these attacks. This blog post will demonstrate how to get around AMSI to avoid being detected by an attacker and where a PowerShell command that has been extensively encrypted is used to run shell code.
Why attackers use PowerShell
- Microsoft PowerShell is virtually present on every Windows system, and it is signed by Microsoft. Having such a ubiquitous presence on Windows makes it an ideal tool for attackers to evade detection and reduce the need to add more tools to their attack arsenals.
- Using PowerShell, the input can be passed as encoded commands without requiring any files to be dropped. The result is obfuscation, which makes attacks stealthier.
- An attacker can use PowerShell at all stages of the attack. Malicious macros embedded in MS Office documents can be used in initial infection attacks and post-exploitation through mimikatz to dump credentials.
- By using various PowerShell bitwise operators and string operations, a high level of obfuscation can be achieved. Using ‘bxor, bor, join, replace’ can be used to mangle strings and commands in order to avoid security products detecting them.
- There are a number of advanced use-cases that can be achieved easily, such as reflective dll-injection and shell code execution. Various open-source projects are readily available on the web for use in this process.
Different Types of PowerShell attacks
Use in malicious macros
Malicious document macros frequently employ PowerShell as their initial infection attack vector. These attacks can be as simple as downloading and running second-stage payloads or as complicated as using process hollowing.
In the aforementioned illustration, the macro function downloads additional payload/shell code, which is then executed to infiltrate the victim machine.
Disabling AMSI to evade detection
Some PowerShell attacks have been observed to first disable the Microsoft AMSI protection. To stop malware from being executed, all PowerShell scripts and commands are scanned by AMSI.
Using Mimi Katz in post-exploitation
Mimi Katz is one of the post-exploitation tools that malware writers and hackers employ the most frequently. Credential theft and privilege escalation are the usual uses for it.
In its initial avatar, Mimi Katz first revealed how to take advantage of a single security hole in the Windows authentication mechanism. It has, however, significantly changed in recent years and now includes a wide range of other procedures.
In the example above, Mimi Katz is executed in one way. The victim’s machine is directly infected after downloading and executing the script from the Godthab repository.
Encoded and compressed commands
Using encoded commands as input in PowerShell without ever dropping a file to disk is one of its most powerful features. In addition to encoding, it also allows compression (Grip, most often), which further aids in obscuring commands.
We can see that the PowerShell is given a sizable block of base64 commands as input, and this block is then executed using the ‘Encoded Command’ switch. When the base64 command is decoded, another list of encoded and grip-compressed commands is produced. The final set of commands required to execute a shell code utilising various Windows APIs are shown in Figure 5 above after decoding and decompressing the output of the earlier operations.
Challenges in detecting PowerShell attacks
- Since many valid apps use PowerShell for a variety of functions, completely blocking it is not the best course of action because doing so would hinder administrators and users from automating and optimising their lawful duties.
- It can be difficult to tell the difference between legitimate and improper PowerShell use. System administrators utilise it to automate particular operations, such as user creation and other maintenance procedures. In post-exploitation attempts, a malevolent actor might carry out similar actions. It is challenging to recognise and respond to damaging PowerShell attacks because real and malicious behaviour are so similar.
- The majority of attacks never touch the disc; instead, they are carried out using commands directly in memory. As a result, it is difficult to gather artefacts connected to the assault because no files that may have been used for forensic analysis are written to the disc.
- PowerShell has a large number of functions and actions that can be used for obfuscation and security product bypass, making it difficult to create string-based signatures.
- While stay hidden and retain stealth, most attacks employ some sort of encoding. Support for a variety of encoding techniques is necessary to efficiently detect them.
- PowerShell offers a significant attack surface. In order to learn more about the systems patch level and conduct subsequent attacks, it can use other programmes like WMIC. It can also launch second-stage payloads using WScript and CScript.
How eScan protects its users
eScan protects its users from multiple stages of malware and PowerShell attacks. Additionally, eScan prevents malicious PowerShell execution through other modules, such as URL filtering, Anti Malware protection, Cloud, and Anti- Ransomware protection..
Conclusion
There are many challenges involved in defending against PowerShell attacks. Cybercriminals and adversarial groups have access to a large attack surface thanks to its availability and ease of use.
In terms of detecting and preventing PowerShell attacks, there is no silver bullet. Although there are risks associated with this, we can mitigate them in part by using various detection technologies.
The best way to protect ourselves against these threats is to avoid running untrusted PowerShell scripts, and to enable the latest security features, while keeping the eScan antivirus installed.
