Microsoft thought they were boosting the power of Windows scripting tools by adding PowerShell functionality. Back about ten years ago, they improved earlier scripting engines that weren’t really part and parcel to the Windows OS. Well, as is usual with computing innovations, as we move forward with technology we also make it easier for attackers too. And as PowerShell has grown and become open source and even cross-platform (Linux versions became available last year), it has also grown and become an important vector for malware authors too. It now comes bundled with Windows 7, 10 and the latest Windows Server OS versions.
I wrote about some of the PowerShell-based exploits for a recent post on the iBoss blog here.
To get started learning about PowerShell, download this comprehensive guide published by Symantec last year. The authors review typical attack profiles, highlight key PowerShell-enabled malware and suggest a few scripts for defenders. One important technique is to enable system event logging, which can be used to review and then expose a malicious script’s actions.