Hikers living off the land make use of existing nutrients and water sources to survive in the wilderness. In hacker parlance, the term “survive in the wilderness” means they cover their tracks and make use of tools and code that already exist on targeted endpoints. This hides their exploits by making them look like common administrative tasks so that detection tools can’t easily find them. Welcome to the world of PowerShell-based attacks.
PowerShell has deep roots in the DOS command line that came with the first IBM PCs back in the 1980s and the .NET universe. It is now the default command shell that is packaged in the current Windows 10 version. PowerShell has been around for more than a decade in one form or another. It comes bundled with Windows since version 7, and now has Linux versions as well. That widespread use can only encourage hackers to abuse it in the future.
PowerShell has become increasingly sophisticated, and a primer on essential PowerShell security scripts is well worth reviewing to learn how you can use that language to improve your defenses and be more productive in administering Windows computers. This article shows you how attackers can leverage this language for their own evil purposes.
PowerShell is versatile, but dangerous
PowerShell has a lot of versatility, since it can execute a variety of commands that can directly examine and change particular Windows resources such as Registry objects, environment variables, the Windows Management Interface, and programs stored in memory. You can use it to administer Exchange functions and other Windows server tasks. It can install scripts that execute at boot time, which makes them attractive for hackers that want the scripts to persist.
One of the challenges about PowerShell is that it is found in so many different legitimate Windows routines and launched and packaged in so many ways. You can’t just block it universally across your enterprise without preventing users from getting actual work done.
To continue reading this article register now