Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Security IT

And the Top Source of Critical Security Threats Is...PowerShell (esecurityplanet.com) 73

Slashdot reader storagedude writes: That's right, Microsoft's CLI management tool was the source of more than a third of critical security threats detected by Cisco in the second half of 2020, according to eSecurity Planet.

Dual-use tool exploitation was the top threat category noted by Cisco, followed by ransomware, fileless malware, and credential dumping, with PowerShell a primary vector in those last two categories also.

"Based on Cisco's research, PowerShell is the source of more than a third of critical threats," noted Gedeon Hombrebueno, Endpoint Security Product Manager for Cisco Secure.

Cisco recommends a number of protection steps that are, of course, made easier with Cisco Secure Endpoint, and other EDR tools are effective against PowerShell exploits also.

But there are a number of steps admins can (and should) take that are completely free, like preventing or restricting PowerShell execution in non-admin accounts, allowing execution of signed scripts only, and using Constrained Language mode.

This discussion has been archived. No new comments can be posted.

And the Top Source of Critical Security Threats Is...PowerShell

Comments Filter:
  • ``Powershell Version N+1 is the most secure Powershell ever.''

  • by xack ( 5304745 ) on Saturday May 22, 2021 @12:48PM (#61410656)
    You thought programmers would be content with just “hello world”?
    • or a simple reverse shell?
    • Powershell is what you use on Windows *after* exploiting the system to get remote code execution. /bin/sh is what you use on Linux. Because that's how you run things on those systems, if you aren't sitting at the console clicking things.

      • Would mod this up if I could. This "story" is deliberately misleading.

        Powershell basically falls into the same category as *nix shells like sh, bash, etc. or commonly bundled scripting languages like Python, Perl, etc. on *nix systems. All of these tend to be abused AFTER initial infiltration.

  • Henceforth to be known as PowersHell.

  • I wonder what surprises wait people who took the bait and installed powershell on Linux ?

    https://docs.microsoft.com/en-... [microsoft.com]

    I never used it and never saw in in action, but I knew enough to stay as far away from it as possible. For people who did did install it, between all the 'fun' breaches on M/S software lately, I wonder how many are looking at a rebuild.

    • by PPH ( 736903 )

      installed powershell on Linux

      I don't know how that would differ from something like bash, csh, ksh. All shells, all scriptable. But since they run on various flavors of *NIX, not terribly dangerous. As long as one doesn't do their day to day work logged on as root.

      That said, it wouldn't surprise me if Microsoft's installation set PowerShell up as setuid. If so, people who use it deserve all the hell it will produce.

      • by Entrope ( 68843 )

        Windows doesn't have an equivalent of the setuid bit. It has a "Run as..." ability, but that requires a password or similar login credentials. There are also other mechanisms, such as User Account Control (UAC), that limit how programs running with administrator privileges (when started by an admin account) can communicate with unprivileged processes.

      • by Luthair ( 847766 ) on Saturday May 22, 2021 @01:43PM (#61410806)

        Yea I think this is the point that others are missing - I imagine for *nix systems shell scripts, perl or python which are available by default in virtually every system are abused in a similar way by attackers.

        While it may make sense for most users to remove or disable powershell, if enough people are doing that then attackers will simply switch to other tools that are available on the system.

    • This story isn't about problems with powershell. If anything it actually screams how good powershell is. The hackers are not "exploiting" it, they are using it as a tool post exploit to get the job done or to execute their exploits when it is available. No different to running it in Bash, they aren't bypassing Powershell security controls.
  • Does anyone routinely use powershell interactively? The few times I have used it the commands seemed overly verbose and reminded me a lot of OpenVMS.

    • by rduke15 ( 721841 )

      I have vaguely tried to use it a few times, but was also annoyed by it's verbosity and general weirdness. If I need to do something on Windows that is too complex or unpractical for cmd.exe (which is most things, actually), I usually end up starting Ubuntu in WSL and doing it Bash or Perl.

    • Re: Powershell (Score:5, Informative)

      by boxless ( 35756 ) on Saturday May 22, 2021 @04:12PM (#61411190)

      Another good grief. There are a few syntactical oddities, but in general itâ(TM)s phenomenal. What I can accomplish via one liners is amazing. Think of Unix one liners, but the bits moving through the pipeline arenâ(TM)t necessarily text (though they could be), but are often times objects. And the exes on the pipeline usually know what to do with the object given to them. And when they donâ(TM)t, they tell you so.

      • Agreed that it can be powerful. However, the object oriented nature dawned upon me when I practically put the network on halt just by doing a rename, the whole files were passed back and forth on the network. Sure, beginner error, but far from nice. Power shell isn't the windows equivalent of Bash. It's wildly different, and I agree it can be very powerful. Or, as with me, it can be the lit match to see how many sticks of dynamite are really lying all around in this here abandoned mine...
    • It's good for administering Windows software. It has great integration with the MS suite of tools. Extensibility isn't so great, though.

  • Another reason for the mind-numbed to disable Win+R to execute a run command so I have to navigate a bunch of menus instead of taking 1.5 seconds to type Win+R and "calc" to get a calculator.
  • by cheetah_spottycat ( 106624 ) on Saturday May 22, 2021 @01:36PM (#61410786)
    No, dual-use tools are not the primary threat, dear cisco. FUCKING EXPLOITS IN YOUR FUCKING GEAR ARE. Blaming the tools for exploits is like saying that screwdrivers are the number one primary threat in home burglary cases, because that's how most unsafe windows are opened.
    • by bn-7bc ( 909819 )
      Cisco used to suffer from a huge monolithic code base, with evry feature any one ever needed for any possible edge case. This did nor, as you might have guessed, lead to the most stable bug free or secure code ever
  • Call Me Skeptic (Score:4, Insightful)

    by lsllll ( 830002 ) on Saturday May 22, 2021 @01:57PM (#61410840)
    First of all, this seems like a marketing ploy to get people to buy into Cisco Secure Endpoint. But, past that, I find it hard to believe that there are as many holes as they say (>33%) in a non-escalated process. Microsoft has patched all known bypasses of UAC. Is Cisco saying they know of new ones that MS hasn't patched yet?
    • Re:Call Me Skeptic (Score:4, Insightful)

      by clovis ( 4684 ) on Saturday May 22, 2021 @05:59PM (#61411422)

      First of all, this seems like a marketing ploy to get people to buy into Cisco Secure Endpoint. But, past that, I find it hard to believe that there are as many holes as they say (>33%) in a non-escalated process. Microsoft has patched all known bypasses of UAC. Is Cisco saying they know of new ones that MS hasn't patched yet?

      I'm with you on this.
      For one thing Powershell's execution policy is set to Restricted by default on Windows client computers, which means almost every computer on the planet cannot run Powershell.

      • by vrt3 ( 62368 )

        What? Every computer can run Powershell. It's just a command interpreter.

        Restricted does *not* mean that Powershell can't run; it only means Powershell won't execute scripts. Which is not even meant as a security system, as Microsoft's own documentation says: it's only meant so anyone can set basic rules and prevent accidentally violating those.

        • by clovis ( 4684 )

          What? Every computer can run Powershell. It's just a command interpreter.

          Restricted does *not* mean that Powershell can't run; it only means Powershell won't execute scripts. Which is not even meant as a security system, as Microsoft's own documentation says: it's only meant so anyone can set basic rules and prevent accidentally violating those.

          good point and bad writing by me. Here's an updated statement:
          I'm with you on this.
          For one thing Powershell's execution policy is set to Restricted by default on Windows client computers, which means almost every computer on the planet cannot run Powershell scripts.

  • Misleading headline? (Score:4, Interesting)

    by munch117 ( 214551 ) on Saturday May 22, 2021 @01:58PM (#61410850)

    Something tells me this is really about powershell being used as the implementation language for the attack payload. Not about vulnerabilities in powershell itself or in programs written in powershell.

    Which means powershell is not the source of any threats.

    • Amen. My thought exactly.

    • by clovis ( 4684 )

      Something tells me this is really about powershell being used as the implementation language for the attack payload. Not about vulnerabilities in powershell itself or in programs written in powershell.

      Which means powershell is not the source of any threats.

      Yep, totally agree.

      Quote from the article:
      "The top category of threats detected across endpoints by Cisco Secure Endpoint was dual-use tools leveraged for exploitation and post-exploitation tasks. PowerShell Empire, Cobalt Strike, PowerSploit, Metasploit and other such tools have legitimate uses, Cisco noted in the report, but they’ve become part of the attacker toolkit too."

      Thanks to this article, we now know that letting other people run pen-testing tools on it is a bad idea.

      This article is more of

    • It is just Cisco trying to push their garbage security products, which in themselves are huge threat to an efficient operating environment.
    • Which means powershell is not the source of any threats.

      Which means guns are not the source of any threats.

      So, why do we ban guns again?

    • Careful, you'll upset the anti-MS crowd who know nothing about exploitation vs post-exploitation.
  • by jhylkema ( 545853 ) on Saturday May 22, 2021 @07:16PM (#61411540)

    This is why you don't let every Tom Dick and Harry have admin rights to their box. Thing is, many admins do just that. And that makes my job so much easier.

  • Powershell is a shell after all so it is a convenient way to run anything on the OS. It's certainly easier than it would be to do the same in cmd.exe although I think Powershell blows compared to bash.
  • Americian, the nsa or cisco . Cisco is a major threat in it's own right,

"I got everybody to pay up front...then I blew up their planet." "Now why didn't I think of that?" -- Post Bros. Comics

Working...