Living off the Land: The Power Behind PowerShell

PowerShell is a powerful tool used for task automation and configuration management that is built on the .NET framework. It is also a utility that is often abused by cyber threat actors (CTAs) using Living off the Land (LotL) techniques. As far back as 2016, for instance, at least 38% of observed incidents by Carbon Black and partners included PowerShell as part of the attack. The majority (approximately 87%) of those attacks used PowerShell in commodity malware such as click fraud, fake anti-virus, and opportunistic malware. Fast forward to more recent times, and we find that approximately 49% of threats analyzed in 2021 used PowerShell in the attack chain, according to Red Canary.

Ultimately, CTAs can use PowerShell in several ways to achieve a variety of objectives. For example, as PowerShell is a native Windows tool and functional on other operating systems, CTAs are able to use it without raising red flags and thus evade traditional network defenses. Additionally, CTAs can use post-exploitation frameworks that leverage PowerShell components to compromise a network and steal credentials. PowerShell also allows CTAs to automate activities, escalate privileges, and move laterally throughout a network – all increasing the attack surface and wreaking havoc on the enterprise.

Defending Against PowerShell Attacks

Unfortunately, simply blocking the PowerShell executable is not a viable solution, nor is it effective. PowerShell can be invoked in a number of ways without using the actual executable – and it is often used this way. Additionally, a number of legitimate applications use PowerShell to perform everyday business functions. A more strategic and multi-faceted approach is therefore necessary to secure against an attack using PowerShell.

Fortunately, the Center for Internet Security (CIS) is already in the process of publishing guides that address common LotL attack vectors. Our guides provide prioritized best practice guidance to address some of the most commonly used vectors and exploited protocols to conduct attacks. Some of our most recent guides focus on Remote Desktop Protocol (RDP), Server Message Block (SMB), and Windows Management Instrumentation (WMI), for example.

Our newest guide, “Living off the Land: PowerShell,” is next in the series of LotL guides. It covers the use of this legitimate network administration tool in cyber attacks and provides guidance to defenders on how they can protect against a PowerShell-based attack. Toward that end, it introduces related CIS Critical Security Controls (CIS Controls), CIS Benchmarks, and MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) (Sub-)Techniques.

A Stronger Cybersecurity Posture

Ultimately, it is important to implement defensive processes and measures such as understanding and managing your PowerShell environment, securely configuring PowerShell, malware defenses, logging, continuous vulnerability management, email and browser protections, and security and awareness training. By implementing the recommendations introduced in "Living off the Land: PowerShell," enterprises can confidently strengthen their cybersecurity posture while protecting their assets.