PowerShell configuration can be an advantage for cybersecurity practitioners and/or cyber adversaries. Adversaries and offensive security experts excessively utilize PowerShell in a “Living-Off-The-Land” (LotL) attack, which enable adversaries to be stealthy and persistent.
LotL refers to a cyber adversary’s attempt to hide his/her activity among legitimate processes to maintain the persistence and sustainability of their activity. LotL has certain features such as maintaining a non-malware form, fileless form through utilizing interpreted programming language, and memory-based execution.
Common tactics for LotL are to utilize pre-installed software or scripts in the target environment, utilizing existing permissions, and authorized protocols to process the malicious behavior.
Organizations can restrict LotL threats by raising their security practitioners’ knowledge of interpreted programming languages capabilities that is running in their environment. A CISO should consider enforced baselines for interpreted programming languages that are running in the organizations environment.
PowerShell, one of the most commonly used interpreted programming language in most organizations, can enable adversaries to run scripts in volatile memory to execute malicious behaviors, such as establishing Command-and-Control between a victim machine and a remote server.
Running scripts in volatile memory can bypass many security appliances such as anti-virus and whitelisting solutions which can be a challenge for security practitioners to detect this threat and respond to it.
In order for adversaries to abuse PowerShell, they need to gain authority to use PowerShell, and have a PowerShell execution policy type that allows them to run scripts on the system . This can be easily done depending on PowerShell configuration settings. Adversaries can gain a PowerShell execution Policy type through adding a flag - a feature in PowerShell - in their script to set the execution policy on “bypass”. This will allow them to run freely any command on PowerShell.
Security practitioners can consider restricting PowerShell usage for mitigating adversaries’ LotL. This can be achieved through various methods such as disabling PowerShell modules through Group Policy . Group Policy is a Microsoft Windows NT feature of operating systems that enable security practitioners to control user accounts and computer accounts in operating systems environment.
Security practitioners should consider restricting the PowerShell version and ensure disabling or removing PowerShell version 2 from the system due to attackers utilizing PowerShell version 2 due to a lack of the latest security features such as no built-in logging capabilities, which can aid adversaries to conduct sufficient lateral movement and persistence techniques.
In addition, Microsoft announced that Windows PowerShell 2.0 will be deprecated and migrated to PowerShell 5.0+. Security practitioners can ensure PowerShell logging through using Group Policy Management Console for PowerShell modules. Group Policy Management Console is a Microsoft tool for managing operating system setting and it can be accessed through typing ‘gpedit.msc’ in Windows search bar.
Security teams should ensure that security controls are applied and verified by security practitioners to restrict access controls and privileges on, and for, PowerShell features. For example, PowerShell has four language modes, which specify allowed language elements in each session. This allows PowerShell to communicate with other modules in the Operating Systems, which can create a risk in access control.
The four modes can give an advantage for either security practitioners or cyber adversaries by enabling the session environment to support them. These are:
- Full Language
- Constrained Language
- Restricted Language
- No Language
These modes should be utilized according to defense-in-depth design and operation requirements. In addition, endpoint security appliances such as whitelisting solutions and in-line network security appliances such as Intrusion Prevention Systems complement defense-in-depth design to restrict malicious behavior of interpreted programming languages.
Another example affecting access control and privileges is PowerShell Execution Policy, which is a setting to permit the execution of PowerShell script’s types. PowerShell Execution Policy was meant as a safety feature for controlling unintended execution rather than a security feature to control malicious scripts. However, PowerShell Execution Policy contributes as security control by validating scripts.
Security practitioners should ensure to assign execution policies to local computer and users according to defense-in-depth design. The recommended policies in an enterprise are usually either “restricted” policy or “RemoteSigned” as they provide limited security features.
PowerShell is easy to learn, enable automation for, scalable, and great enabler tool for administrators as much as other interpreted programming languages. However, PowerShell is utilized excessively in LotL by cyber adversaries.
The growth of abusing PowerShell and other interpreted programming languages are alarming and security practitioners should ensure secure configuration to avoid cyber crisis.
Nawwaf Alabdulhadi is an IT security expert, where Nawwaf’s experience in IT field involved more than 7 years in executing IT security projects, providing consultation, and assessment in various countries, roles, and companies. Nawwaf has Computer Science Bachelor degree from Northumbria University, UK, Master Degree in Information Security Policy and Management from Carnegie Mellon University, US, and leading industry certificates such as CISSP from ISC2 and CPT from IACRB. Nawwaf currently works as a senior IT Security specialist in a leading enterprise (Saudi Aramco).