Hackers can use the decade-old tool to execute stealthy cyber attacks
Microsoft’s PowerShell scripting language and shell framework is increasingly being used to create malware and exploited as an attack vector by hackers, according to research from cybersecurity firm Symantec.
PowerShell has become the de facto tool for task automation and the configuration on management frameworks in Windows operating systems with deep access to the system’s functions, replacing the old command line function as the default tool with the Windows 10 Creators Edition, due for arrival in 2017.
Given it is PowerShell is often activated by default on Windows machines and has been around for a decade, it is ripe for exploitation by hackers who have had more than enough time to get to grips with the tool.
As such a mass rollout of PowerShell with Windows could put users of Microsoft’s latest operating system under fire from hack attacks and malware making use of the shell framework.
PowerShell scripts are frequently used in legitimate administration work. They can also be used to protect computers from attacks and perform analysis,” Symantec’s research, entitled The Increasing use of PowerShell in attacks, explained.
“However, attackers are also working with PowerShell to create their own threats. Of all of the PowerShell scripts analysed through the Blue Coat sandbox, 95.4 percent were malicious. We have seen many recent targeted attacks using PowerShell scripts.
“Common cyber criminals are [using] PowerShell as well, such as the Trojan.Kotver attackers, who used the framework to create a fileless infection completely contained in the registry.”
The versatile nature of PowerShell and its ability to easily access all major functions within a Windows operating system is what has given it the scope to become a pervasive hacker tool, as well as a useful function for system administrators.
PowerShell is also appealing to hackers as its can mask the virtual footsteps of hack attacks through the obfuscation of scripts, though by default such commands leave little traces of their presence, which helps keep cyber attacks exploiting PowerShell from being detected by security software.
Depending on the configuration of PowerShell-based cyber attacks, they can also by pass application-whitelisting tools and execute malware payloads directly from memory, making hack attacks stealthier.
Symantec advised that system administrators ensure the keep a close eye on the version of PowerShell they are using and make use of extended monitoring and logging options, which can assist the performance of forensic analysis should a breach happen through the use of PowerShell.
The use of native tools to conduct cyber attacks is worrying as they can be used to seize control of a machine and then execute ransomware attacks to wreak further havoc and force victims to part with money in order to gain back control over their computer and its data.
Quiz: Are you a security pro?