There has been a reported increase in PowerShell-based malware over the last few weeks. The popular and powerful scripting language is installed on all Windows machines, and therefore makes an attractive avenue for malware.
Some other reasons PowerShell is being used by attackers include:
- PowerShell logging is disabled by default, meaning attacks fly under the radar
- It’s possible to execute directly from memory, allowing for file-less malware delivery
- Since PowerShell is a trusted application, it is often overlooked by the security stack
- PowerShell provides unrestricted access to Windows APIs
These factors have obviously awakened the interest of many attackers. However, there are some moves you can make to insulate yourself against this threat.
- Update PowerShell: Make sure the newest version of the Windows Management Framework is running on all machines.
- Enable and Configure PowerShell Logging: By default, PowerShell logging is disabled. Configure the systems to log any PowerShell command that is being executed and incorporate these logs into your security workflow
- Deploy Policies: Only allow tested, pre-approved scripts to be used in your environment
- Back Up Your Data: Make sure your data is protected in case an attack makes its way through your defenses. Remember, backing up only works if you do it before the disaster happens, so think (and act) ahead!