How to Protect Your Business Against the Rising Threat of Windows PowerShell Attacks

Hackers are continually coming up with ways to get past the defenses of standard anti-malware and anti-phishing applications. One of the ways they’ve been able to bypass these security safeguards is through the use of fileless attacks on Windows PowerShell.

If there’s no file attachment with malicious software for an anti-malware program to match against a threat database, then there’s a pretty good chance that malicious code will make it through network securityunchallenged.

What is a PowerShell Attack?

PowerShell is a legitimate Windows component. It’s a command line tool that is included in the Windows operating system. It can be run in the memory, where an anti-virus software won’t be able to detect it. Commands to PowerShell can also be run remotely, which makes it a perfect target for hackers on the other side of the world.

PowerShell can be used by hackers execute malicious code, and since it’s a trusted part of Windows, standard security tools won’t know anything is amiss. It has access to multiple parts of a machine’s inner core, which makes it a particularly popular way for cybercriminals to hack into your network.

PowerShell attacks rose 1000% in 2018.

There was an explosive rise in PowerShell attacks in 2018 of 1000%. The trend continued in 2019.

As of Q1, while ransomware attacks increased by 118%, PowerShell attacks grew by 460% and showed no signs of slowing down. 

What Can a PowerShell Attack Do?

PowerShell can be used to run multiple types of malicious code, such as gathering user login credentials that can be sold on the Dark Web or targeting admin credentials. It’s also been used to redirect users to fake banking websites that look like the real thing.

Because PowerShell can be used to execute programs and has such a deep access to the Windows operating system, the number of ways it can be used to attack your network and endpoints is nearly countless.

Preventing PowerShell Attacks

While fileless PowerShell attacks are designed to get past many defenses, there are ways to protect your business against these attacks. 

Microsoft has taken notice of how their component is being misused and has issued updates to give users and their cybersecurity tools more ability to keep PowerShell from being deployed to run malicious processes.

Here are several ways to protect your business from falling victim to a PowerShell attack.

Upgrade to PowerShell v5.1 or Newer

Microsoft added some important security fixes to PowerShell v5.1, including greatly reducing the attack capability and improving logging. Upgrading to the more secure version can reduce your risk of an attack.

Enable and Collect PowerShell Logs

By enabling Protected Event Logging, you can keep a better eye on any suspicious processes. These logs can also be used by security tools to identify any unusual behavior by incorporating the logs into signatures, hunting, and incident response workflows.

Use Just Enough Administration

When you use Just Enough Administration (JEA) on PowerShell, you’re restricting the administrative access control so users can only perform tasks that they need to. By eliminating or reducing unconstrained administrative access to high-value systems, you reduce your risk that stolen credentials can be used to carry out attacks through PowerShell.

Implement Application Control Safeguards

You have the ability to reign in the control that PowerShell has over other programs by only allowing pre-approved (whitelisted) tasks and denying others. Parameters can be set for certain areas of your system to only allow a limited subset of PowerShell language that’s used for commands, limiting the ability of hackers to use the tool against you.

Use PowerShell with Applocker

Applocker is used to verify a script before PowerShell runs it. This adds an important protective layer in the PowerShell process. Applocker will evaluate a script to ensure it’s allowed to run and will block anything that’s not approved through the Applocker policy.

Use an Endpoint Detection and Response (EDR) Tool

EDR uses artificial intelligence and other advanced features to detect suspicious behavior throughout your device rather than just matching a file against a known threat database. This allows it to identify malicious code that PowerShell may be running, without even knowing what it might be, and shut it down.

Give Your Antivirus Provider Full Access 

By deploying Windows 10 to allow your antivirus provider full access to all content processes by Windows Scripting Hosts, including PowerShell, you can give it the ability to detect potential malicious PowerShell Activities. Giving access to “all content” means including that which is generated or de-obfuscated at runtime.

Improve Your Cybersecurity Posture with Help from Haxxess

Network security is one of the most important aspects of your technology infrastructure. Make sure your data and systems are protected with a full IT security assessment. We’ll scan your system and let you know of any vulnerabilities and how to address them.

Book a complimentary IT security checkup with us today! You can also call us anytime at 705-222-8324.

stay in touch

Subscribe to our newsletter and we'll keep you informed about latest IT news.