Understanding the Threat:
Wait a Minute, what is a “Powershell Attack” anyway?
Attackers are always looking for ways to bypass security and Powershell has become a fan favorite among them. Powershell is present in every system that has Windows 7 or Windows Server 2008 and higher. It is primarily used for system administration and most companies don’t monitor Powershell activity. That along with the fact that Powershell scripts can deliver code without touching the disk is what makes this so appealing to Attackers.
I’m listening, tell me more!
Like most attacks nowadays, these Powershell scripts are being delivered in a weaponized document through email. This is just another echo of how important Security Awareness Training is for your employees.
Once the script is triggered it can then start running the code through Powershell without ever touching the disk, which bypasses most endpoint protection. The scope of attacks that can then be ran are vast and primarily only restricted by the Attacker’s knowledge and resources.
Well Dang, how can I prevent/detect this?
As mentioned above, proper employee education plays an important role with preventing these attacks by cutting off one of the main delivery methods used for these attacks.
Companies should also consider developing Powershell standards and best practices. Some recommendations are:
- Update Powershell to the latest version
- Enable module and script block logging and create alerts
- Configure Powershell with Constrained language mode
- Use Application Whitelisting or AppLocker
- Lock down systems that shouldn’t use Powershell
If you are using an Endpoint Protection Product make sure it is up to date and reach out to them to see if they have added any capabilities to block/detect Powershell scripts. If they have it could likely be disabled or not configured properly for your Company.
The Wrap up!
While Powershell can be a very useful and powerful tool for your company, it is important to safeguard yourself against the ever increasing threats. If you don’t have a policy in place you should get to work on that immediately. It’s better to push forward than to look backwards and think “If we only did this before it became an issue”.