During the past few years, toolkits such as PowerSploit, PowerShell Empire, p0wnedShell, and the Social-Engineer Toolkit have made it easier than ever for attackers to use PowerShell for exploitation tactics.
Scanning networks, stealing user credentials, gaining elevated privileges, establishing command-and-control communications, and moving laterally within an organization using PowerShell is nearly plug-and-play with sample code readily available on the Internet. Since PowerShell scripts can be delivered as text files or generated entirely in memory, many traditional security products cannot distinguish legitimate use from bad.
Given the ubiquity of PowerShell and how easily it can be leveraged for malicious purposes, it is not surprising that we are seeing attackers use this tool with increased frequency and effectiveness.
The first-ever United Threat Research report details how PowerShell is being exploited by threat actors to launch cyber attacks.
Among some of the key information presented in this report:
- How attackers are leveraging PowerShell to remain undetected
- The full scope of the problem based off 1,100 investigations
- The favored delivery technique among attackers
- What today’s security teams can do to combat the threat