|Platform||Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1|
|Permissions Required||User, Administrator|
|Data Sources||Windows Registry, File monitoring, Process command-line parameters, Process monitoring|
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.1 Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.
PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
Administrator permissions are required to use PowerShell to connect to remote systems.
- Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.5
- APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke.6 APT29 also used PowerShell scripts to evade defenses.7
- APT3 has used PowerShell on victim systems to download and run payloads after exploitation.8
- The Poseidon Group's Information Gathering Tool (IGT) includes PowerShell components.9
- FIN6 has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.10
- Stealth Falcon malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server.11
- Patchwork used PowerSploit to download and run a reverse shell.12
- HAMMERTOSS is known to use PowerShell.13
- SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.6
- AutoIt downloads a PowerShell script that decodes to a typical shellcode loader.14
- POWERSOURCE is a PowerShell backdoor.1516
It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. When PowerShell is necessary, restrict PowerShell execution policy to administrators and to only execute signed scripts. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.17 Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.
If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.
It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution.18 PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.19 An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.
- Microsoft. (n.d.). Windows PowerShell Scripting. Retrieved April 28, 2016.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- PowerSploit. (n.d.). Retrieved December 4, 2014.
- Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
- Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
- Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
- Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
- FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
- Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
- Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
- FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
- Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
- Sutherland, S. (2014, September 9). 15 Ways to Bypass the PowerShell Execution Policy. Retrieved July 23, 2015.
- Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.
- Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016.