What you need to know about PowerShell attacks

Unlike attacks carried out by traditional malware, fileless malware operations don’t require the attackers to install a single piece of software on a target’s machine. Instead, fileless malware attacks entail taking tools built into Windows, particularly PowerShell, and using them for malicious activity. Using legitimate programs makes detecting these attacks particularly challenging since these tools and the actions they carry out are trusted.

Many of the techniques used by fileless malware attacks have been around for awhile. In-memory exploits, for instance, were prominent in the SQL Slammer worm from the early 2000s. But the development and large-scale distribution of exploit kits has made fileless malware attacks much more common. For example, offensive PowerShell frameworks like Empire and PowerSploit and post-exploitation frameworks like Metasploit and CobaltStrike are especially abused since they can be used to quickly create PowerShell attack payloads.

The difficulty organizations face in detecting these attacks combined with the availability of these techniques is exactly why this tactic is being increasingly adopted. No longer a rogue technique, a third of organizations polled for the SANS 2017 Threat Landscape survey reported facing fileless attacks.

With fileless malware attacks becoming the new norm, here’s what you should know about this threat.

Fileless malware attacks show how attackers have bypassed antivirus software

Attacks involving malware typically work by attackers accessing a computer by either tricking people into downloading something they shouldn’t or exploiting a software flaw and then installing an executable file that delivers the payload. But antivirus software is designed to scan computers for known malware signatures and block these files from executing.

However, since no software is used in fileless malware attacks, there isn’t a signature for antivirus programs to look for, meaning that fileless malware attacks go undetected by these products. Attackers just need to hijack PowerShell or other trusted tools and use them for malicious activities.

Other security programs aren’t much better at detecting these attacks, which are also referred to as non-malware attacks and living-off-the-land attacks. Since attackers use trusted programs native to Windows to execute commands, most security products automatically whitelist these activities. Other products can’t accurately determine if a tool like PowerShell is being used maliciously.

PowerShell is an attacker’s tool of choice for conducting fileless malware attacks

PowerShell is a powerful scripting language that provide unprecedented access to a machine’s inner core, including unrestricted access to Windows APIs. PowerShell also offers the benefit of being an inherent part of Windows that’s completely trusted so the commands it executes are usually ignored by security software.

PowerShell’s ability to run remotely through WinRM makes it an even more appealing tool. This feature enables attackers to get through Windows Firewall, run PowerShell scripts remotely or simply drop into an interactive PowerShell session, providing complete admin control over an endpoint. And, if WinRM is turned off, it can be turned on remotely through WMI (Windows Management Instrumentation) using a single line of code.

Using PowerShell in a fileless malware attack completely blurs the line between compromising a single machine and compromising the entire enterprise. The moment an attacker has a user name and password for one machine (which can be easily obtained in PtH and PtT scenarios), the path to complete compromise is laid wide open.

Traditional approaches to security are rendered useless in the face of these attacks because PowerShell is highly reputable, has a trusted signature, is loaded directly through system memory (which cannot be scanned using heuristics) and has unrestricted access to the OS because it’s an integral part of Windows.

Distinguishing between legitimate and malicious PowerShell operations is challenging but possible

Cybereason is the first solution to enable both detection and prevention of malicious PowerShell activities. The Cybereason solution uniquely provides deep visibility into all activities and commands taking place in an environment - including the PowerShell engine.

The solution doesn’t only analyze raw script or the command line, or process interaction and injection. Rather, it looks at every action taken by the code that’s running within the PowerShell engine.

Cybereason asks critical behavioral questions, such as which machines invoked remote PowerShell access on the other endpoints and how is the script interacting with the remote system. Asking these questions helps identify fileless malware attacks. Combining deep visibility with behavioral analysis, the solution can distinguish - with high fidelity - between malicious and benign PowerShell use.

The Cybereason solution addresses several key requirements including:

  • Addressing all versions of PowerShell, including the most common and least secure PowerShell version 2.
  • Handling every type of invocation of PowerShell, including command line, interactive, script file and loading of System.Management.Automation.dll by managed or unmanaged processes.
  • Coping with obfuscation of any kind.
  • Not affecting the user experience.
  • Notifying analysts about the attack and providing relevant details, such as the users and machines involved.
  • Configurable and including a blacklist/whitelist option.
Fred O'Connor
About the Author

Fred O'Connor

Fred is a Senior Content Writer at Cybereason who writes a variety of content including blogs, case studies, ebooks and white papers to help position Cybereason as the market leader in endpoint security products.