What you need to know about powershell attacks

Interesting read on Powershell Attacks. These are file-less malware attacks which will “not” be blocked by traditional UTM firewalls and/or AV, even sandboxing struggles against these attacks since they are file-less. Actors just need to hijack PowerShell or other trusted tools.

Unlike attacks carried out by traditional malware, file-less malware operations don’t require the attackers to install a single piece of software on a target’s machine. Instead, file-less malware attacks entail taking tools built into Windows, particularly PowerShell, and using them for malicious activity. Using legitimate programs makes detecting these attacks particularly challenging since these tools and the actions they carry out are trusted.

Many of the techniques used by file-less malware attacks have been around for awhile. In-memory exploits, for instance, were prominent in the SQL Slammer worm from the early 2000s. But the development and large-scale distribution of exploit kits have made file-less malware attacks much more common. For example, offensive PowerShell frameworks like Empire and PowerSploit and post-exploitation frameworks like Metasploit and CobaltStrike are especially abused since they can be used to quickly create PowerShell attack payloads.

The difficulty organizations face in detecting these attacks combined with the availability of these techniques is exactly why this tactic is being increasingly adopted. No longer a rogue technique, a third of organizations polled for the SANS 2017 Threat Landscape survey reported facing file-less attacks.

Read more here: