aidarrow-end-inversearrow-endarrow-left-angulararrow-left-angularWhy choose AvectoAchieve complianceOperational efficiencycompliancedefendpoint-coloureddefendpoint-thin-2DesktopScaleResources.iconsAsset 21insider-threatsavecto-logo-smallquotation-marksransomwareArticleUse caseWebinarResources.iconssafePrevent attacksAsset 19social-engineeringTrustedtriangleStop insider attacksAsset 20Resources.iconsResources.iconszero-days

Blog

Protecting against PowerShell attacks is easier than you think

Doug Aamoth

Not to ruin anyone’s childhood, but the havoc-wreaking blue shell from Nintendo’s Mario Kart series is not, in fact, called the PowerShell. It should be, but it’s not.


No, that high honor belongs to Microsoft’s task-based command-line shell and scripting language. That’s a mouthful, but in short: PowerShell helps administrators and other power users string a bunch of otherwise repetitive, boring, awful, manual steps together into an automated amalgamation of awesomeness. If there’s a poster child for the old “work smarter, not harder” mantra, it’s PowerShell.


So, PowerShell is great for administrators in that it can greatly reduce the amount of time and effort it takes to manage and configure Windows. But much like the blue shell in Mario Kart, it can also wreak havoc when it’s used as an attack mechanism. It’s got access to things like file systems, registries, certificate stores, and a whole host of other sensitive data.


The issue is that PowerShell is generally treated as a trusted application by security software – heck, it’s part of Windows – so it’s become increasingly popular for malware authors to leverage PowerShell in order to slip bad stuff onto good machines.


Instead of trying to load executable malware files, which anti-virus software often catches, bad guys look to gain control of PowerShell and use it to load malware directly into the computer’s memory, bypassing the need to execute it as a program from the disk – also known as a “file-less” malware attack. Imagine the mess you could make by sneakily sequencing a series of attacks from a tool that Windows trusts!


The good news is that, much like finding an invincibility star in Mario Kart, there’s hope. A proper privilege management solution can limit which users have access to PowerShell, who can run scripts, and either prompt for approval from IT or create an audit trail when high-privilege users start flexing their PowerShell muscles.
Let’s say an attacker manages to get ahold of my machine – me, a lowly but handsome marketing professional who has no business doing anything with PowerShell. That attacker would immediately be dead-ended when he or she tried to use my instance of PowerShell to carry out an attack. My organization neuters my PowerShell access; ergo, said attacker is also neutered.


Another way to thwart PowerShell attacks – and attacks from trusted applications in general – is to monitor and protect such applications from unwanted behavior. For instance, should Microsoft Word or Adobe Reader be launching the command prompt? Or PowerShell? Almost certainly not – especially not from the lowly but handsome marketing guy’s machine.


With Defendpoint from Avecto, you not only get a proper and powerful privilege management solution, but you also get state of the art Trusted Application Protection – both of which can help you achieve compliance, operate more efficiently, and fend off PowerShell attacks. Not the Mario Kart ones – you’re on your own there.