PowerShell was originally intended as a task automation and configuration management program for system administrators. However, it didn’t take long for attackers to realize its potential for carrying out offensive operations without being detected.
Due to PowerShell’s versatility, it can be seen in all stages of attacks, from initial infection vectors; used in macros of infected documents to being used in post-exploitation to dump credentials, using the infamous mimikatz PowerShell module.
We’ll look at a few scenarios where and how PowerShell is used with malicious intent and the challenges faced in detecting these attacks. This blog will showcase where a heavily obfuscated PowerShell command is used to execute shellcode and how attackers can bypass AMSI to avoid detection.
PowerShell is often used as an initial infection attack vector in malicious document macros. The complexity of these attacks ranges from simply downloading and executing second-stage payloads to more advanced use-cases to perform process hollowing.
In the example above, the function in the macro downloads additional payload/shellcode, which is then executed to gain access to the victim system.
Some PowerShell attacks have been spotted to first disable the AMSI protection provided by Microsoft. All PowerShell scripts/commands are subjected to an AMSI scan to prevent malware execution.
The above malicious code disables the AMSI interface by patching the ‘AmsiScanBuffer’ function in ‘amsi.dll’ by first changing the permissions on the memory, then writing the desired bytes.
Mimikatz is one the most commonly used post-exploitation tools used by hackers and malware authors. It is typically used to steal credentials and escalate privileges.
Mimikatz originally demonstrated ways and means to exploit a single vulnerability in the Windows authentication system in its initial avatar. However, it has now evolved quite a bit, and its latest version contains a myriad of other techniques.
The example above shows one of the ways in which mimikatz is executed. The script is directly downloaded from the GitHub repository and executed on the victim machine.
One of the most powerful features of PowerShell is the use of encoded commands as input without ever dropping a file to the disk. Besides encoding, it even allows the use of compression (Gzip, in most cases), which further aids in the obfuscation of commands.
In Figure 4, we can see the input to the PowerShell is a large block of base64 command, which is run using the ‘EncodedCommand’ switch. The base64 command, when decoded, results in another set of encoded and gzip compressed commands listed as output.
Performing decoding and decompression on the output of the previous operations reveals the final set of commands that are used to run a shellcode using various Windows APIs, as illustrated in Figure 5 above.
Quick Heal and Seqrite protect their users from multiple stages of malware and attacks that abuse PowerShell. In addition to behavioral protection mechanisms, Quick Heal prevents malicious PowerShell execution through other modules, which include URL filtering, Anti Malware protection, Cloud, and Anti Ransomware protection.
Defending against PowerShell attacks is complicated. Due to its availability and ease of use, it provides cybercriminals and adversarial groups with a large attack surface.
There is no silver bullet for detecting and preventing PowerShell attacks. However, the protection provided by various detection technologies can help us mitigate its risks.
As users, we can protect ourselves from these threats by not running any untrusted PowerShell scripts while enabling the latest security features and keeping the QH antivirus and OS updated.