In today’s digital landscape, cybersecurity is a top priority for organizations. Hackers are continuously finding new ways to exploit vulnerabilities and compromise systems. PowerShell, a powerful scripting language and automation framework developed by Microsoft, has unfortunately become a favored tool among attackers due to its capability to run .NET code and execute dynamic code downloaded from another system (or the internet) and execute it in memory without ever touching disk. In this blog post, I will delve into how bad actors perform PowerShell exploitation, EDR (Endpoint Detection & Response) evading techniques, etc. Additionally, I’ll explain effective methods to detect the execution of PowerShell scripts within your machine manually.
PowerShell Execution without PowerShell.exe – How you may be exposed to PowerShell Exploitation
PowerShell is included by default in modern versions of Windows, where it’s widely and routinely used by system administrators to automate tasks, perform remote management, and much more. PowerShell interaction occurs through cmdlets, which are commands that enable actions on .NET objects, in turn allowing users direct access to the entire system. While many official cmdlets already exist, any missing required functionality can still be added to by writing new ones that interface with the desired .NET objects.
Virus infected files and trojans can be effectively tracked by Virus and Malware scanners. Browsers are capable to verify the downloaded files these days. Applications need digital signatures before execution. Security scanners can scan files to be written, read, and/or executed to check for known signatures. Even malware delivered via Microsoft Office macros are detected by default settings that no longer allow automatic execution. However, since PowerShell is a trusted application, threat actors can use PowerShell to infiltrate environment, escalate privileges by injecting payloads into running applications, or by utilizing scripts, and carry out malicious activities.
“Invoke expressions” (IEX) in PowerShell are a common method of executing code. They allow for the evaluation of expressions and the execution of code that is stored in a variable. code obfuscation is common throughout many coding languages and PowerShell scripts are no exception. For example, one simple method of bypassing signature detection is by simply splitting out the IEX string into individual characters.
Another method is Character Substitution.
Slightly advanced technique involves Character Substitution and Replacement
Here are some common techniques employed by bad actors to hide the PowerShell execution flow:
- Run code in memory without touching disk.
- Download & execute code from another system.
- Interface with .NET & Windows APIs: Attackers can use Windows Low level APIs for their exploitation. For example, encrypting the disk or whole volume using Cryptographic Windows APIs.
- Code Injection: Attackers may inject malicious PowerShell scripts into legitimate applications, such as web forms or input fields, to execute commands with elevated privileges.
- Social Engineering Attacks: Phishing emails and social engineering techniques are frequently used to trick unsuspecting users into running malicious PowerShell scripts, often disguised as innocent attachments or links.
- Remote Code Execution: Exploiting vulnerabilities in systems or services, hackers can execute PowerShell commands or scripts remotely, enabling them to gain unauthorized access and perform various malicious actions.
- Code obfuscation methods like splitting strings, character substitution, etc.
- Many endpoint security products don’t have visibility into PowerShell activity.
- Most organizations are not watching PowerShell activity.
- CMD.exe is commonly blocked, though not PowerShell.
There are many powerful PowerShell based attack tools available. Some of the famous PowerShell attack tools are given below:
- PowerSploit – Developed by Matt Graeber (@Mattifestation) & Chris Campbell (@obscuresec) Used for Privilege escalation, Credential theft, Persistence.
- Invoke-Mimikatz – Developed by Joseph Bialek (@JosephBialek). Mainly used for Credential theft & reuse, Persistence, Injection, Forged Kerberos ticket creation and much more.
- PowerView – Developed by Will Harmjoy (@HarmJ0y). Mainly used for domain/network situational awareness tool.
- PowerUp – Developed by Will Harmjoy (@harmj0y). Mainly used for local privilege escalation.
- Nishang – Developed by Nikhil Mitt (@nikhil_mitt). Mainly used for penetration testing and offensive security
Detecting PowerShell Execution
To effectively detect the execution of PowerShell scripts and protect your environment, Microsoft provides several tools and features that can help bolster your defenses:
- Process monitoring: Tracking PowerShell.exe process execution is the most basic form and by tracking the command-line arguments, you can detect potentially malicious behavior.
- Windows Event Logging: Enable PowerShell Script Block Logging (Windows Security Event ID 4104) and PowerShell Command-line logging (Windows Security Event ID 400), Module loading and Add-Type logging (Windows Security Event 800 and 4103) available in Windows Event Logging, to capture detailed information about PowerShell commands and scripts executed on your machine. This allows you to monitor for suspicious activities and potential threats. Information on automated monitoring of Windows Event Logs is covered in What is Windows Event Log? | eG Innovations.
- Windows Defender Antivirus: Windows Defender Antivirus is built into Windows and offers protection against malware, including malicious PowerShell scripts. Keep it up to date and regularly scan your system to detect and remove any threats.
- Microsoft Defender Advanced Threat Protection (ATP): Microsoft Defender ATP provides advanced threat detection and response capabilities. Leveraging machine learning and behaviour-based algorithms, it can identify and block malicious PowerShell activities in real-time.
- Azure Sentinel: Azure Sentinel is a cloud-native Security Information and Event Management (SIEM) solution. By integrating Azure Sentinel with your environment, you can centralize and analyse security logs, including PowerShell-related events, to identify potential threats and take proactive measures.
- Microsoft 365 Defender: Microsoft 365 Defender combines various security solutions, such as Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Cloud App Security. This integrated suite can detect and mitigate PowerShell-related attacks across your organization’s endpoints, email, and cloud services.
Conclusions on PowerShell Exploitation
Protecting your environment from PowerShell exploitation requires a multi-layered approach, and Microsoft offers a range of solutions to assist you. By leveraging tools like Windows Event Logging, Windows Defender Antivirus, Microsoft Defender ATP, Azure Sentinel, and Microsoft 365 Defender, you can bolster your defenses, detect malicious PowerShell scripts, and respond promptly to potential threats. Remember to keep your software and security solutions up to date, educate users about phishing and social engineering risks, and follow best practices recommended by Microsoft to maintain a secure environment.
eG Enterprise is an Observability solution for Modern IT. Monitor digital workspaces,
web applications, SaaS services, cloud and containers from a single pane of glass.
Learn more
- VMware (Carbon Black) have published some very interesting data and analysis on PowerShell exploitation in EUC and virtualized environments, see: vmwcb-report-powershell-deep-dive.pdf (vmware.com)
- Read about secure monitoring tool architectures and secure agent communication, here: Secure Monitoring – Open TCP Ports are a security risk (eginnovations.com)
- Information on eG Enterprise’s latest SOC 2 Type 2 security audit is available, see: eG Innovations Successfully Completes SOC 2 Type 2 Audit
- Learn about the security challenges of Shadow IT usage in What is Shadow IT? Will AI make this more challenging?
- Information on automated monitoring of Windows Event Logs is covered in What is Windows Event Log? | eG Innovations
- Microsoft advice on avoiding IEX constructs which increase the risks of PowerShell exploitation attacks is available, see: Avoid using Invoke-Expression – PowerShell | Microsoft Learn