This is one common question that has bugged the mind of many technology users. Some people may assume it to be malware; however it is not Powershell that is dangerous, it’s the intent of the person using it.
Understanding how Powershell works will go a long way in helping you notice when it’s being used for evil purposes. Ransomware attacks are evolving quite rapidly. Hence, hackers employ tools like Powershell to drive their malicious activities unsuspected.
What is Powershell and How Does it Work?
Powershell is a cross-platform task automation solution. It consists of a command-line shell, a framework for configuration management, and a scripting language. Powershell’s use is not restricted to Windows only, but also extends to Linux and macOS.
The modernity of the shell is what makes it stand out amongst other shells. They also include some of the best features you can find. Most shells are known not to accept and return texts. This is however different for Powershell, as its function perfectly executes this. Powershell accepts and returns .NET objects.
Here are some features of Powershell’s command-line shell:
- Completes tab and command prediction
- It supports command and parameter aliases
- Command-line history is comprehensive
Besides its function of embodying a comprehensive command-line shell, it functions as a scripting language. This is why in this article, we will show you how attackers exploit this feature of Powershell. The scripting language allows it to automate the management of solutions very flexibly.
It can also be used to design, test and deploy solutions usually in CI/CD environments. Since PowerShell is designed using .NET CLR or common language runtime, its inputs and outputs are .NET objects.
Powershell incorporates the use of Desired State Configuration (DSC). This management framework allows a user to manage his enterprise infrastructure using configuration. DSC allows you to use this configuration by push or pull models. Its function is not limited to this only.
A user can also create custom scripts for repeatable deployments. These features come in handy when used by bad actors to set up keyloggers, network sniffers, and password cracking.
What Powershell Features do Hackers Use for Hacking?
One thing you should know however, is that Powershell can be used for both good and evil. For example, Powershell features an Execution-Policy that allows a user to control and limit the use of scripts. It works just fine when the script is run locally, but in the memory, it doesn’t get blocked. This flaw is an easily exploitable one, and most hackers have been having a field day with it.
They can simply maneuver and execute PowerShell within environments that seem restricted. This technique is very useful to many hackers. However, in real-life situations, a user’s antivirus (AV) is meant to spot these attempts. So you may want to ask, does the AV in Powershell restrict the activity of hackers?
Well, unfortunately, the AV will only pick these scripts because they’re recognizable. However, they do not hinder what it can be used for. Moreover, a hacker may not have to rely on scripts like this since it leaves them exposed.
What then do they do? They simply go under the radar and execute a code that seems harmless. This then returns information that can be stolen. Let’s consider this, step by step
- Exfiltration Using SMB
The information collected can be extracted in many ways. For example, your external drive can be mapped to extract data over the server message block (SMB) protocol. A temporary network file share can be created for the attacker. Once the attacker has stolen the data, the file share is removed.
- Exfiltration using SMTP Relay
The internet houses multiple open simple mail transfer protocol (SMTP) relay servers. These SMTP relay servers allow one relay email without authentication. There are also authenticated SMTP servers rendering free service. Both options can be used for data exfiltration.
Another popular option for data exfiltration is called PasteBin. This is a website that allows users to post data for its users to see. The website allows for anonymity as well. It features an API that allows a user to upload data.
Let’s consider other ways hackers exploit Powershell features to execute attacks. Some of them are through scripts since they provide hackers with the same abilities as file-based malware.
Brute forcing ZIP files
This script, as its name implies, allows a hacker to use brute force password attacks against password-protected zip files. Scripts can also be made for other password protected files like PDF, CSV, XLS, DOC, and more.
Brute forcing credentials
On windows, the WinRM service is enabled by default to allow remote management. Designed to make management easier for system administrators, remote commands can also be remotely executed through it. Since it works with authentication, the user’s credentials can be validated and can therefore be deployed in a brute force attack.
A lot of open-source intelligence (OSINT) tools crawl the web for information on targets such as a user or domain. These tools are written in python but can be translated in Powershell. For instance, PowerSosh is a script that allows a user to search social media sites for usernames that match. This is possible because most sites will end their URL with …/username.
This easily allows a web request to be invoked to see if the website is live. A typical script-based attack was the attack on Kaseya VSA (virtual system administrator). Kaseya is a remote management tool used to manage organizations’ networks and systems.
The attackers compromised the Kaseya VSA tool and then deployed a malicious update package to all of the clients of Kaseya VSA. The result of this was disastrous, as it was able to encrypt many endpoints in multiple companies. The Powershell script was used to disable Windows defender antivirus protection features like real-time detection and file scanning.
How Do I Protect Myself Against Powershell Attacks?
Powershell can be used ordinarily to execute administrative activities such as patching, system-level scripts and much more. Simply disabling Powershell is not a viable solution for protection against attacks. Some red flags to look out for that might help you stay proactive include:
- Powershell scripting that has base64 encoded commands in their argument
- Powershell scripts that download a file from the internet
- Powershell scripts that modify a scheduled task in the system
- Powershell running the “invoke-command” script
- Powershell using the unrestricted execution policy
Our technology landscape’s evolution is faster than we can imagine. Threats to digital safety are evolving too. Powershell being just an ordinary management platform can become problematic if exploited by hackers.
Commonly misconstrued to be a virus, Powershell is safe to use yourself. Bad actors have devised ways to compromise systems and steal information with Powershell as well. Be careful what you are downloading from the internet, emails, or attachments as these can contain a malicious Powershell script. Keep an eye out for these indicators and you’ll be fine.