The continuing pain of PowerShell

Microsoft PowerShell has long been used by system administrators, and in 2013 when Dave Kennedy and Josh Kelley gave the infamous talk: “PowerShell...omfg”, it was brought to the attention of many security professionals. Red teamers and adversaries soon found it to be a playground with undefined security boundaries, scarce logging, and minimal detections. 

Once initial detection arrived, new techniques emerged for “unmanaged PowerShell”, or referencing the System.Management.Automation assembly DLL directly without calling powershell.exe. Red teams and adversaries leveraged this new execution method to bypass previous detection methods.

“When PowerShell was first released, we knew it was huge. Both from an IT administration and security perspective. It’s been amazing to see the security industry build on our early research and beyond what we could have ever expected. It’s also validating that the early statements that PowerShell would be a major attack surface for organizations still holds true today. Microsoft has done a ton of work on making PowerShell robust and security featured, but it’s still up to their customers to implement the features and detections.” - David Kennedy, TrustedSec

Entire post-exploitation frameworks are built off of the sheer amount of functionality that PowerShell provides to the user that wields it. Microsoft took notice, and implemented Constrained Language Mode, Script Block Logging, and other controls to improve visibility and detection in PowerShell for defenders. Plus, with Sysmon, you can log powershell.exe process creation.

Fast forward to 2021, and PowerShell has largely dropped from public discussion. Does this mean PowerShell detection is a solved problem? Malware capabilities, our own firsthand experience, and data from endpoint detection and response (EDR) vendors would indicate ‘no, PowerShell is not a solved problem’.

“Donoff Microsoft Office documents act as TrojanDownloaders by leveraging the Windows Command shell to launch PowerShell and proceed to download and execute malicious files. Donoff played a critical role in driving the 689% surge in PowerShell malware in Q1 2020. … In 2019, total samples of PowerShell malware grew 1,902%.” - Mcafee, November 2020

Red Canary has PowerShell as the 4th highest MITRE ATT&CK technique leveraged by adversaries, with over 50% of organizations affected.

One final dataset is the MITRE Engenuity ATT&CK Evaluations emulation of APT 29, which leveraged PowerShell techniques and scripts with mixed detection results from the 21 participating EDR vendors.

Adversarial PowerShell is indeed still a massive pain point for organizations and defenders alike, so what do we do about it? 

Security education campaigns are one important step to combat adversarial attacks that leverage PowerShell, ensuring that organizations are aware of the built-in (and free) mechanisms Microsoft has created to improve their security posture. Audit and logging are a good foundation for PowerShell detection. The next step for determining an organization’s resilience to PowerShell attacks and malware is security testing. 

Testing the implemented logging features is important for understanding their effectiveness. Using purple teams (and the Purple Team Exercise Framework), adversary emulation, or a combination of both can give real insights in determining whether you can detect PowerShell malware.

SCYTHE’s built-in PowerShell module allows users to run any command, in addition to integrating with PowerShell execution focused TTPs in Red Canary’s Atomic Red Team Project with a single click. SCYTHE’s module leverages unmanaged PowerShell (these won’t be logged by Sysmon for example) in emulations so defenders are able to focus on detections centered around adversary behaviors instead of testing for PowerShell use.

Want even more PowerShell content? Check out Jorge Orchilles’s Threat Thursday covering PowerShell here.

Tim Schulz is SCYTHE’s Adversary Emulation Lead. He has been helping organizations build and train teams to understand and emulate cyber threats for the last six years while working at multiple FFRDCs. He has given talks on Adaptive Emulation with ATT&CK and on Technical Leadership, and holds GXPN, GDAT, and OSCP certifications.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.