PowerShell

Information

• Name: PowerShell

• ID: T1059.001

• Tactics: TA0002

• Technique: T1059

Introduction

The PowerShell sub-technique (T1059.001) within the MITRE ATT&CK framework refers specifically to adversaries leveraging PowerShell scripts or commands to execute malicious code, automate tasks, and facilitate lateral movement within compromised environments. PowerShell is a powerful scripting language and shell environment native to Windows systems, frequently exploited due to its extensive capabilities, widespread availability, and ability to interact seamlessly with Windows system components and APIs. Attackers utilize PowerShell for tasks such as reconnaissance, payload delivery, persistence, privilege escalation, and data exfiltration, often taking advantage of its flexibility and stealth potential.

Deep Dive Into Technique

PowerShell provides attackers with a robust scripting environment capable of executing complex operations directly within Windows environments. Key technical details include:

• Execution Methods:

  • Direct execution of commands through command-line interfaces (powershell.exe or pwsh.exe).

  • Execution of encoded commands using Base64 encoding (-EncodedCommand parameter) to evade detection.

  • Running scripts from disk or memory, leveraging techniques such as reflective loading to avoid writing artifacts to disk.

• Mechanisms and Procedures:

  • Obfuscation: Attackers often obfuscate PowerShell scripts using various techniques to bypass security controls, including character substitution, string concatenation, and encoding.

  • In-memory Execution: PowerShell scripts can execute directly within memory using methods like reflective loading, significantly reducing forensic artifacts and complicating detection.

  • Remote Execution: PowerShell Remoting (Invoke-Command, Enter-PSSession) and Windows Management Instrumentation (WMI) are commonly used to execute commands across remote systems, facilitating lateral movement and persistence.

  • Integration with Windows APIs: PowerShell scripts can interact directly with .NET libraries and Windows APIs, allowing attackers to perform sophisticated tasks like credential harvesting, privilege escalation, and system manipulation.

  • Fileless Malware: PowerShell enables fileless malware techniques where malicious payloads reside only in memory, avoiding traditional antivirus signatures and detection mechanisms.

• Commonly Abused Cmdlets and Modules:

  • Invoke-WebRequest and Invoke-RestMethod: Downloading malicious payloads or exfiltrating data.

  • Invoke-Expression (IEX): Executing dynamically downloaded scripts or commands.

  • Start-Process: Launching additional malicious processes.

  • Set-ItemProperty and New-Item: Modifying registry entries for persistence.

When this Technique is Usually Used

Attackers employ PowerShell across multiple stages of the cyber kill chain, including:

• Initial Access:

  • Execution of malicious scripts delivered through phishing emails, malicious attachments, or compromised websites.

• Execution:

  • Running malicious payloads directly within memory or from encoded commands to evade antivirus detection.

• Persistence:

  • Creating scheduled tasks, registry modifications, or startup scripts executed via PowerShell to maintain footholds on compromised systems.

• Privilege Escalation:

  • Leveraging PowerShell scripts to exploit vulnerabilities or misconfigurations, elevating privileges on compromised hosts.

• Defense Evasion:

  • Utilizing obfuscation, encoding, and in-memory execution techniques to evade endpoint detection and response (EDR) solutions.

• Credential Access:

  • Extracting credentials from memory or registry using PowerShell scripts.

• Discovery and Reconnaissance:

  • Enumerating network resources, system configurations, and security settings through built-in PowerShell cmdlets.

• Lateral Movement:

  • Using PowerShell Remoting or WMI to execute commands on remote systems within the compromised network.

• Collection and Exfiltration:

  • Compressing, encrypting, and transferring sensitive data to attacker-controlled infrastructure via PowerShell scripts.

How this Technique is Usually Detected

Effective detection requires a combination of logging, monitoring, and behavioral analysis techniques, including:

• Enhanced Logging and Monitoring:

  • Enabling PowerShell Script Block Logging (Event ID 4104), Module Logging (Event ID 4103), and Transcription Logging to capture detailed execution activities.

  • Monitoring Windows Event Logs for suspicious command-line arguments, such as encoded commands (-EncodedCommand) or suspicious cmdlets (Invoke-Expression, DownloadString, Invoke-WebRequest).

• Endpoint Detection and Response (EDR):

  • Deploying endpoint security solutions capable of detecting anomalous PowerShell behavior, memory injection, and suspicious process executions.

• Behavioral Analysis and Threat Hunting:

  • Hunting for unusual parent-child process relationships (e.g., Office applications spawning PowerShell).

  • Detecting anomalous network connections initiated by PowerShell processes to external IP addresses or domains.

  • Identifying abnormal volume or frequency of PowerShell executions across endpoints.

• Indicators of Compromise (IoCs):

  • Suspicious PowerShell command-line arguments:

    • powershell.exe -EncodedCommand

    • powershell.exe -nop -w hidden -c

  • Unusual script execution from temporary directories or user profiles:

    • %APPDATA%, %TEMP%, %USERPROFILE%

  • Unusual network traffic initiated from PowerShell processes:

    • Connections to unknown or malicious IP addresses/domains

  • Detection of obfuscated PowerShell scripts containing excessive use of character substitution, concatenation, or Base64 encoding.

• Security Information and Event Management (SIEM):

  • Correlating logs from endpoints, network devices, and security tools to detect and alert on suspicious PowerShell activity.

Why it is Important to Detect This Technique

Detecting malicious PowerShell activity is critical due to its potential impact on systems and networks:

• Stealth and Evasion:

  • PowerShell enables attackers to execute malicious code entirely in memory, making detection difficult and allowing attackers to remain undetected for extended periods.

• Rapid Compromise and Lateral Movement:

  • Attackers can quickly leverage PowerShell to escalate privileges, move laterally, and compromise additional systems within the network.

• Data Exfiltration:

  • PowerShell scripts can easily facilitate the extraction and transmission of sensitive data outside organizational boundaries.

• Persistence and Long-term Presence:

  • Attackers frequently use PowerShell to establish persistent footholds, ensuring continued access even after initial compromise detection and mitigation.

• Significant Damage Potential:

  • Malicious PowerShell usage can lead to severe operational disruptions, intellectual property theft, financial losses, and reputational harm.

Early detection and rapid response are essential to minimize potential damage, mitigate threats effectively, and prevent attackers from achieving their objectives.

Examples

Real-world incidents and threat actors leveraging PowerShell include:

• APT29 (Cozy Bear):

  • Utilized PowerShell extensively for reconnaissance, lateral movement, and persistence in high-profile breaches, including the SolarWinds supply-chain attack.

  • Employed encoded commands and obfuscated scripts to evade detection.

• FIN7 (Carbanak Group):

  • Leveraged PowerShell scripts embedded in malicious Office documents to deliver payloads and execute fileless malware on targeted systems.

  • Used PowerShell to establish persistence through scheduled tasks and registry modifications.

• Emotet Malware:

  • Distributed via phishing emails containing malicious Office macros that execute PowerShell commands to download and execute additional payloads.

  • Frequently used encoded commands and obfuscation techniques to bypass antivirus detection.

• TrickBot Malware:

  • Utilized PowerShell scripts for reconnaissance, credential harvesting, and lateral movement within compromised networks.

  • Employed reflective loading techniques to execute payloads directly in memory, avoiding disk-based detection.

• Ryuk Ransomware:

  • Deployed via PowerShell scripts that automate lateral movement, disable security tools, and execute ransomware payloads across targeted environments.

  • Used PowerShell to enumerate network shares and encrypt data rapidly, causing significant disruption.

These examples highlight the versatility and effectiveness of PowerShell as a means for attackers to achieve their objectives, emphasizing the importance of robust detection and mitigation strategies.