Carbon Black United Threat Research Report Reveals How Cyber Attackers Exploit Microsoft PowerShell to Launch Attacks

Carbon Black®, a leader in Next-Generation Endpoint Security (NGES), today announced the results from its first Unified Threat Research report, which details how PowerShell, a scripting language inherent to Microsoft operating systems, is being exploited by threat actors to launch cyber attacks.

The report outlines how the Carbon Black Threat Research Team, in conjunction with more than two dozen managed security services provider (MSSP) and incident response (IR) security partners, has increasingly seen PowerShell exploitation during cyber attacks, supporting a growing industry trend of malware authors creatively attempting to evade detection by exploiting native tools on operating systems.

The report (available for download here) reveals some of the techniques attackers are using to leverage PowerShell, how the software is being used, what malicious activities are occurring, and what security professionals can do to battle back.

Among some of the key findings in this report:

  • 38% of incidents seen by Carbon Black partners used PowerShell.
  • 68% of responding partners encountered PowerShell during investigations in 2015.
  • Nearly one-third (31%) of respondents reported receiving no security alerts prior to their investigation of PowerShell-related incidents, indicating that adversaries are successfully using PowerShell to enter and remain undetected in a company’s system.
  • 87% of the attacks leveraging PowerShell were commodity malware attacks such as click-fraud, fake antivirus, ransomware, and opportunistic malware.
  • Social engineering remains the favored technique for delivering PowerShell-based attacks according to interviews with Carbon Black partners.
  • 13% of the attacks involving PowerShell appeared to be targeted or ”advanced.”

“PowerShell is a very powerful tool that offers tremendous benefit for querying systems and executing commands, including on remote machines,” said Ben Johnson, Carbon Black’s chief security strategist and cofounder. “However, more recently we’re seeing bad guys exploiting it for malicious purposes it because it falls under the radar of traditional endpoint security products. This often causes tension between the IT and security professionals. PowerShell gives the bad guys a lot of power because it’s part of the native Windows operating system, which makes it difficult for security teams. On the other hand, PowerShell helps IT guys automate various tasks. The two departments need to come together and strike a balance between IT automation and security.

Partners directly interviewed for this report were: BTB Security, EY (formerly Ernst & Young), Kroll, Optiv, Rapid7 and Red Canary. Twenty-eight Carbon Black partners provided details for the survey we conducted in February 2016.

The report details a specific PowerShell-related case study from Red Canary, an MSSP partner. The case study details a recent example of PowerShell being used to steal credentials via reflective DLL injection.

Recently, the Carbon Black Threat Research Team issued a threat advisory on “PowerWare,” a new variant of ransomware that targets organizations via Microsoft Word and PowerShell.

About the Report
In the first quarter of 2016, Carbon Black collaborated with more than two dozen of its IR and MSSP partners to understand how PowerShell is being used for malicious purposes. The data collected comes from direct conversations and a survey, representing more than 1,100 investigations conducted during 2015. The Carbon Black Security Partner Program is the largest of its kind, providing next-generation endpoint security services to countries worldwide. The program includes more than 70 MSSP and IR partners who leverage the Carbon Black Security Platform to help their global customers disrupt, defend and unite in combating today’s new breed of cyber-attacks.

[su_box title=”About Carbon Black” style=”noise” box_color=”#336588″][short_info id=”66617″ desc=”true” all=”false”][/su_box]