PowerShell basic capabilities
As with other types of attacks, PowerShell attacks often start with the exploitation of user credentials or system vulnerabilities. Once inside the perimeter, the attacker can leverage overly-permissive admin access privileges to execute commands, change proxy settings on servers, harvest passwords, and more. The most common way attackers use PowerShell, though, is as a downloader.
As a scripting language rather than an obvious piece of malware, PowerShell easily evades detection by traditional security tools that look for signatures to tip off anomalous behavior. Importantly, PowerShell includes the capability to monitor what types of connections end processes make, and admins can restrict connections between hosts, servers, applications, etc., Given that is a standard network tool, though, overly-restrictive policies may impact performance and availability.
Living off the land to cause a data breach is clearly a tactic that’s not going to go away anytime soon. Though there are logging and monitoring capabilities provided in the tool itself, many administrators have these functionalities turned off due to excessive noise and the aforementioned performance and availability potential problems. The key in stopping malicious use of PowerShell is looking at the connections it’s making and the behaviors it’s exhibiting. Is a server talking to another server it’s never connected to before? Is a database suddenly connecting to the internet or sending excessive amounts of data?
There are a hundred ways to obfuscate scripts or commands with a dual-use technology, but an attacker cannot hide bad behavior...if defenders are looking in the right places for the right things. Traditional network security tools like IDS do not have the granularity to prevent bad behavior. An organization’s better bet is to implement network security tools that allow infrastructure and operations teams to create least-privilege protection policies governing what can talk to what inside the network. Before that can happen, the organization needs a complete picture of all communicating and approved assets and reliable baselines of normal or expected behavior. Once baselines are established, policies can be used to block unexpected behavior, like a user downloading macros from an Office document (which then deliver malware to the user’s system and spreads to connected machines, servers, and other networked assets). Or, policies can be configured to prevent the communication of systems running unsigned scripts or trying to bypass execution policies.
Zero trust methodology fueled by machine learning
Two key components should be part of the technology used to prevent malicious PowerShell execution: zero trust and machine learning. Zero trust principles dictate that all network traffic should be treated as potentially suspicious until it can be positively verified against a set of criteria. The verification process needs to happen every time a communication request is sent or received. Doing so ensures that if PowerShell, or any other piece of software or service in the environment, is tampered with, the infection can’t propagate to the rest of the network.
Machine learning, for its part, isn’t meant to be a magic cure-all. Buzzwords be damned, security tools that incorporate machine learning simplify the process of baselining and change management, as networks and the traffic on them constantly change (especially in cloud and container environments). Using these baselines, security policies can adapt without breaking dependencies and/or availability of system resources.
In conclusion, infrastructure and operations teams will always have tools in their environments that can be usurped by threat actors for malicious purposes. It would be close to impossible to eliminate every instance of every tool that can be dual purpose. That said, using PowerShell and similar tools does not mean that defenders are destined to have their networks breached. Instead, organizations should implement technologies that:
- Identify and monitor all communicating assets
- Baseline normal behavior using machine learning
- Build zero trust protection policies based on verifiable communication patterns
- Alert on behavioral anomalies in real time
- Adapt to dynamic networks such as the public cloud