Microsoft PowerShell used to launch 38% of cyber-attacks in 2015

To fly under the radar of security systems, hackers are increasingly using PowerShell, a scripting language inherent in Microsoft systems.

Carbon Black released its first Unified Threat Research report with 28 managed security services provider (MSSP) and incident response security partners who represented 1,100 security investigations. PowerShell exploits were encountered by 68 percent of partners in the last year.

Almost a third of respondents (31 percent) said they received no security alerts before their investigation of PowerShell-related incidents. Over three quarters (77 percent) of respondents stated that alerts were traceable to PowerShell in less than 25 percent of cases, indicating that further investigation is required to identify PowerShell as a link to the attack.

Most of the attacks using PowerShell (87 percent) come in the form of basic or opportunistic threats such as commodity malware, click-fraud and ransomware. According to interviews with Carbon Black partners, social engineering seems to still be the favourite technique of cyber-criminals for delivering PowerShell-based attacks.

More than half (53 percent) of respondents that investigated PowerShell incidents reported encountering the VAWTRAK banking Trojan. A little less than half (47 percent) encountered the Poweliks click-fraud Trojan. CRIGENT or Power Worm was encountered by 42 percent of respondents.

PowerShell-related incidents seem to focus on accessing corporate IP, customer data, financial data and disrupting services. Additionally, 13 percent of PowerShell-related attacks appear to be targeted or advanced.

“PowerShell is a very powerful tool that offers tremendous benefit for querying systems and executing commands, including on remote machines,” said Ben Johnson, Carbon Black's chief security strategist. “However, more recently we're seeing bad guys exploiting it for malicious purposes because it falls under the radar of traditional endpoint security products.”

To better prevent abuse, Carbon Black recommends organisations to set standards regarding how PowerShell should be used, monitor PowerShell usage, and upgrade PowerShell to newer versions. 

Sign up to our newsletters