5 ways cybercriminals use PowerShell scripts to execute cyberattacks

Cybersecurity is a power game. Cybercriminals and enterprises are in a continuous tug of war, with privileged information as the coveted prize. While enterprises fight to protect sensitive data, cybercriminals fight to gain access to it. Each side chooses a weapon of their choice. In this blog we will explore a weapon that is a popular choice for both sides: PowerShell.

Contents:

• What is PowerShell?
• 5 ways cybercriminals use PowerShell to execute cyberattacks
• PowerShell logging in Windows
• Auditing PowerShell using the Active Directory auditing capability of a SIEM

What is PowerShell?

To call Windows PowerShell a command line interpreter would be undermining its capabilities. While it can do everything a shell program like Command Prompt can do, PowerShell is also a scripting language used by administrators to automate tasks. A good example is Active Directory management. Administrators can spend hours manually managing their organization's Active Directory, or they can use a single PowerShell script or command to carry out bulk actions. A lot of administrators prefer PowerShell to the GUI tools they can use like AD Administrative Center or AD Users and Computers.

Fig. 1: A PowerShell window

PowerShell scripting is a vast subject. To better understand the concepts discussed throughout this blog, let us explore three important components of PowerShell scripting.

• Cmdlet: PowerShell uses lightweight commands called cmdlets. A cmdlets (pronounced command-let) can be identified by its unique structure, usually written in the verb-command or verb-noun format. For example, the cmdlet used to search for a user account in Active Directory is Search-ADAccount. Here, Search is the verb and ADAccount is the command. The function of both commands and cmdlets is essentially the same—they tell the computer what to do.
• Module: A module is a set of commands, cmdlets, scripts, functions, and more that have been bundled together for a specific purpose. A module comprises of four important components: a piece of code, additional script or help files the code may need, a manifest file, and a directory. A manifest file is like an index: it lists the contents of a module and describes how it is processed.
• Transcript: A transcript is a complete summary of what was executed during a particular PowerShell session. To generate transcriptions of PowerShell sessions, the administrator or the user has to enable the action. This can be done in two ways: through PowerShell commands or through a Group Policy change. Admins can add the Start-transcript and the Stop-transcript commands to enable transcription. Everything executed in between these two commands will be stored as a text file in the My Documents folder. We shall explore how to configure transcription logging via a Group Policy change later in the blog.

5 ways cybercriminals use PowerShell to execute cyberattacks

While PowerShell is an administrator's favorite tool, it also a hacker's go-to attack vector. This is because of PowerShell's traceability, or lack thereof, in a Windows environment. Since PowerShell is an allowlisted tool, it is easier for cybercriminals to escalate their privileges and execute malicious scripts.

PowerShell is mostly used as a post-exploitation tool. This is because PowerShell is enabled by default in most user accounts. Once a hacker enters the network, they can run the program as an administrator or easily use a couple of commands to escalate privileges. Let us explore five ways cybercriminals can use PowerShell to execute cyberattacks.

1. PowerShell scripting: According to the MITRE ATT&CK® framework, PowerShell is listed as a sub-technique under Command and Scripting interpreter. Cybercriminals often abuse PowerShell cmdlets to get information about their targets and execute malicious code remotely. PowerShell is also used to download and execute malware files in the computer's memory without actually touching the disk. Some PowerShell cmdlets used to carry out cyberattacks include Invoke-Command or Start-Process. Invoke-Command is used to execute a command remotely and Start-Process is used to run an application or process locally on the system.

2. Domain discovery: Once the attackers have penetrated the enterprise network, they can use certain cmdlets to get a list of existing domains, groups, and the user or computer accounts in these domains as a local administrator. This helps them determine their next target based on the privileges these accounts or groups may have. In a Windows environment, some of the cmdlets they can use include Get-ADDomain to get a list of domains in the directory, Get-ADUser to get a list of users, Get-ADComputer to get a list of computers in the directory, and Get-ADGroupMember to get a list of users in a particular group. These cmdlets give a good deal of information about each of the objects, especially Get-ADComputer, which gives in-depth information about each host.

3. Privilege escalation: Access to PowerShell means the ability to easily escalate privileges. As seen earlier, once the attacker, posing as a local administrator, gets information about the list of computers in the domain and has picked a target, they will check the Get-Acl cmdlet to check the ACL for their target.

   Once they get a list of permissions, the attackers will choose the user or user group that has higher permissions to the target computer. They will get information about the members who belong to that group (using the Get-ADGroupMember cmdlet). They will then go through the list of group members to check if any of the accounts match those they've obtained access to. Once they do, they will use the PS-Exec command to remotely execute scripts in their target machine using the current system.

4. Lateral movement: Lateral movement is an attack technique that involves the attacker moving from one compromised host to another in the network. Usually, lateral movement involves using one of two tools: Windows Remote Management (WinRM) or Cobalt Strike. WinRM is a built-in tool in all Windows machines used to establish remote connections, and Cobalt Strike is a pen-testing tool used to simulate attacks.

   There are two ways to use PowerShell for lateral movement:

   • Once the attacker has entered the network, they can run PowerShell as a local administrator, escalate privileges, use the PS-Exec command to execute a script on another host, and finally establish a privileged remote connection.
   • The second way involves the use of WinRM to connect to a client the attacker wants to pivot. To use WinRM to connect with another client, the latter must have a listener enabled. PowerShell can be used to enable listening in the client. Alternatively, if Cobalt Strike is being used, PowerShell can be used to start Cobalt Strike.
5. Fileless malware: Fileless malware uses native tools present in the victim machine instead of depending on malicious executables like its file-based counterparts. It runs in the computer's memory instead of its hard drive, making it more difficult to detect. Since PowerShell is used to avoid traceability of the attack, it is largely used to execute fileless malware. An attacker can use PowerShell to execute commands in a remote target system using the Invoke-Command cmdlet.

PowerShell logging in Windows systems

Windows offers three kinds of logging mechanisms to track PowerShell activity.

• Module logging: These logs track any PowerShell modules that have been triggered. Let us take the example of the Active Directory module Windows offers for PowerShell. Whenever an IT admin uses PowerShell to create users or modify Group Policy objects, the Active Directory module is executed in the background. This is tracked through module logging. The event ID for these logs is 4103. While module logs provide some information about the executed module, they may not reliably capture the commands that have been executed.
• Script-block logging: Script blocks are blocks of scripts or cmdlets executed in one go. They are usually written within curly brackets. Script block logs record the entire script, the commands that have been executed, and who has triggered this execution. The event ID for script block logs is 4104.
• Transcript logging: Transcriptions record the entire script that has been executed during the PowerShell session. This file is then stored in the Documents folder of the user. Transcripts are stored as text files with names that begin with "PowerShell_transcript." They record the metadata and timestamps of the scripts that have been executed in that session and are beneficial during forensic analysis. However, most of the data generated using transcript logs is captured in module and script block logs.

PowerShell logging can be enabled through the local Group Policy Editor for one specific machine or through the Group Policy Management Editor for a user group or OU in a domain. Let's see how to do this in six simple steps:

1. Open Group Policy Management Editor.

   Fig. 2: Group Policy Management Editor

2. Click Administrative Templates under User Configuration or Computer Configuration, based on the requirement.

   

3. Click Windows Components.

   

4. Scroll down and click Windows PowerShell.

   

5. Select the PowerShell logging mechanisms that need to be enabled out of those present. Let's say you want to enable script block logs.

   

6. Click Turn on PowerShell Script Block Logging. Select Enabled from the given radio buttons, and click Apply.

   

A similar process can be used to enable the generation of other PowerShell logs. A lot of organizations disable PowerShell logging because of the large number of event logs that are generated. As a cybersecurity best practice, it is recommended that organizations enable PowerShell logging—if not all three types, then at least script block logging.

Auditing PowerShell using the Active Directory auditing capability of a SIEM solution

It can be difficult for IT administrators to keep track of the many event logs generated to track PowerShell scripts. A SIEM solution like Log360, which has an Active Directory auditing functionality, can help IT admins make the process easier in the following ways:

• Monitor the network for malicious code executions using module logging and script-block logging reports.

  Fig. 3: Module logging reports in ManageEngine Log360

  Fig. 4: Script Block Logging reports in ManageEngine Log360

• Track all processes that have been executed by PowerShell using specific PowerShell process tracking reports.

  Fig. 5: PowerShell process tracking reports in ManageEngine Log360

• Get instant security alerts via SMS and email using the alerting feature.

  Fig. 6: Alert Profile configuration feature in ManageEngine Log360

• Execute scripts to stop malicious processes when alerts for these executions are triggered.

  Fig. 7: Execute Script feature in ManageEngine Log360

To learn more about PowerShell auditing using Log360, reach out to our product experts for a personalized demo or download a 30-day, free trial to check it out for yourself.