Threat Management

FireEye discovers two exploits in the wild which use Windows PowerShell scripts

Researchers have found that Windows PowerShell, the command-line shell and scripting tool that allows sysadmins and IT personnel to perform automation and administrative tasks on local and remote systems, is becoming a more attractive target for attackers.

Attacks against PowerShell first surfaced in 2010. At the time it was only seen to be used to complete some steps in a cyber attack – gradually, PowerShell started to show up in malware campaigns.

The scale and level of attacks have come a long way, so much so that FireEye said it has discovered data stealing attacks in which nearly all steps of the attack cycle involved PowerShell commands.

One of these – a campaign targeting login details – used a legitimate looking Russian domain website which has a well-written PowerShell script on it. The homepage of the website discusses martial arts, but it also hosts the PowerShell script. On execution of the EXE file, a PowerShell command to download another PowerShell script is initiated.

What makes this such a powerful attack is that it uses the -hidden switch which ensures the execution of PowerShell scripts are not obvious to the victim in the form of a PowerShell window. Likewise the execution policy is set as unrestricted to make sure the script runs with desired access.

Another campaign, also targeting credentials, involves an RTF file that initiates a series of PowerShell commands. Circulating in Germany and Austria, it was found that the RTF file initiates a download, leading to execution of a payload that initiates a series of PowerShell commands.

In both campaigns, protective and evasive steps are taken at points throughout the attack cycle. According to FireEye, the use of PowerShell, especially in a corporate environment, should be well regulated and monitored with enhanced logging.

Execution of encoded and obfuscated commands should get an extra degree of observance by IT personnel. Due to PowerShell's ability to encode and obfuscate data, security teams should be aware of its malicious uses and ensure they have the expertise to investigate PowerShell attacks.

Fraser Kyle, principal system engineer at Bromium said, "All tools (all software in fact) represent both functionality and risk. Anything that is designed to make the genuine manipulation of software and systems easier can by its nature be misused to corrupt and damage. The key point here is not to point out specific frailties in specific tools, but rather to recognise that all software is vulnerable.”

He added: “Developers are fallible. Users are gullible. These two factors will never change. So instead of chasing our tails we should accept this reality and focus on making our systems more 'secure by design'. Technology like microvirtualization can effectively isolate these kinds of external threats – meaning that an external attacker can no longer use this approach. There's no silver bullet in security, but let's raise the bar as high as we can; or it's just too easy."

Commenting on the implications for enterprise, Ben Campbell, Security Consultant at MWR InfoSecurity, said, "The initial attack vectors FireEye mentions are all traditional methods, such as phishing with an executable. However, we've witnessed attackers also using PowerShell to rapidly develop cheap and flexible tools to perform post-exploitation actions for them, which also evade protections such as AntiVirus."

When asked if IT pros are at risk of letting something like this into their systems Campbell explained, "The issue is that administrators are less likely to have application whitelisting enabled on their workstations, meaning attacks of this nature are highly likely to succeed. Privileged users should be extra vigilant, and where possible use separate systems for day-to-day web browsing and email activities, than their administrative systems."

According to Campbell users can protect themselves from this kind attack. "The standard advice, to prevent exploitation from classic email phishing scams etc, is a given. In addition, enterprises could apply application whitelisting, and remove permissions to read and execute the PowerShellfiles on their host, but these actions are unlikely to be performed by any but the most tech-savvy users."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.