And the Top Source of Critical Security Threats Is...PowerShell

Slashdot reader storagedude writes: That's right, Microsoft's CLI management tool was the source of more than a third of critical security threats detected by Cisco in the second half of 2020, according to eSecurity Planet.

Dual-use tool exploitation was the top threat category noted by Cisco, followed by ransomware, fileless malware, and credential dumping, with PowerShell a primary vector in those last two categories also.

"Based on Cisco's research, PowerShell is the source of more than a third of critical threats," noted Gedeon Hombrebueno, Endpoint Security Product Manager for Cisco Secure.

Cisco recommends a number of protection steps that are, of course, made easier with Cisco Secure Endpoint, and other EDR tools are effective against PowerShell exploits also.

But there are a number of steps admins can (and should) take that are completely free, like preventing or restricting PowerShell execution in non-admin accounts, allowing execution of signed scripts only, and using Constrained Language mode.

How long before we begin hearing:

[rnturn]

``Powershell Version N+1 is the most secure Powershell ever.''

Powershell gets its powers used

[xack]

You thought programmers would be content with just “hello world”?

Re:

[dowhileor]

or a simple reverse shell?

Re:

[K. S. Kyosuke]

Isn't that a "hello, world!" of sorts?

Summary is crap

[raymorris]

Powershell is what you use on Windows *after* exploiting the system to get remote code execution. /bin/sh is what you use on Linux. Because that's how you run things on those systems, if you aren't sitting at the console clicking things.

Re:

[Kryptonut]

Would mod this up if I could. This "story" is deliberately misleading.

Powershell basically falls into the same category as *nix shells like sh, bash, etc. or commonly bundled scripting languages like Python, Perl, etc. on *nix systems. All of these tend to be abused AFTER initial infiltration.

Re:

[Aighearach]

I thought they rewrote it from the ground up already? And still have these problems?

Re:No way to fix Windows

[Luthair]

None of this is accurate - the reality is that the most used system is the most attacked, go figure.

Re:

[mspohr]

It's certainly the easiest target.

Re:

[StormReaver]

...the reality is that the most used system is the most attacked....

Linux is the most attacked system ever, yet successful exploitation is rare.

Successful Windows (or just about any Microsoft software) exploitation is extremely common because its security is terrible.

Re:

[Dwedit]

Android is Linux, and it's exploited constantly.

Re:

[StormReaver]

All of the Android exploits are in Android, not Linux. The kernel in Android has been rock solid.

Re:

[KingMotley]

If you think linux exploitation is rare you obviously aren't looking.

Re:

[bloodhawk]

successfull exploitation is rare? I suggest you do a little more research!

Re:

[dowhileor]

I have the feeling that the percentage is mostly associated with an attached web environment. You don't see directory transversal for example, get past a DoS or something in a mostly windows environment.

Re:

[Martin Blank]

PowerShell (and to a lesser extent C#) are used in a very large portion of successful attacks, though, but that's because it's built into Windows as its default scripting language and it allows extensive automation of the attack. When Linux systems get popped, you'll often see bash, Perl, or Python scripts used because those are widely present and allow extensive automation of the attack. If Microsoft adopted Python in place of PowerShell, you'd see a lot of Python used in attacks.

Re: No way to fix Windows

[ArmoredDragon]

Even then, I think powershell (or even c#) is used because it's a lot easier to use as a programmer, thus the barrier to entry for the malware developer is lower.

If I were to write malware, my choice would be rust, not only because I can, but because it's so much easier to write robust rust code that works exactly as you intend it to work, even in environments that you can't necessarily test against before deployment, plus with rust I don't have to count on my target having some necessary frameworks or runt

Re:

[Chris Mattern]

"They did create OS/2 which was a ground up rewrite with a protected mode architecture but they decided to keep patching the old Windows... forever. Not backwards compatible enough."

More importantly, they didn't own OS/2, which belonged to IBM. They kept introducing new incompatibilities into Windows, which insured OS/2 would never be viable. I'm sure that was accidental.

Re:

[Canberra1]

Clever person mod up ! But did you know IBM mainframe, before OS/2 had shells (TSO or POSIX) which in turn could call anything else. These were NEVER a threat on the mainframe, as RACF always had granular security, program pathing, and an ACF list (A bit like immutable in Linux). And default UACC(None). Oh and hardware based memory protection. I was told at a windows SE presentation that NT 3.1 had been designed up from the ground with full real security, every bit as good. They had to say this as Novell

Re:No way to fix Windows

[SteelCamel]

Neither is entirely correct. The current versions of Windows are based on the NT kernel, which was written as a multi-user OS from the start. However the Windows layer on top was designed to be able to run Windows 3.1 and Windows 95 applications, and some compromises were made. Most of these have been factored out over the years. 16-bit applications no longer run, so nothing designed before NT existed can still be in use. And most of the insecure backwards-compatible features are now emulated. For example, one application I use saves files in the program directory - and Windows lets it. Except it doesn't - it silently redirects them to a folder in ProgramData, and the program directory is read-only. If system processes try to interact with the desktop (which they shouldn't), Windows creates a brand-new desktop for them with nothing on it. And so on. Which isn't to say that there isn't some long-forgotten piece of code lurking and waiting to become a security issue - it happens, but much less than it used to.

Re:

[mspohr]

I think the steady pace of exposures of Windows vulnerabilities over the years shows that there are a lot of long forgotten pieces of code waiting for exploit.

Re:

[Martin Blank]

16-bit applications no longer run, so nothing designed before NT existed can still be in use.

This isn't strictly true. While 64-bit Windows does not include the 16-bit subsystem, 16-bit compatibility can added back by installing the NTVDM (NT Virtual DOS Machine). Doing so requires a conscious effort, though.

Re:

[Aighearach]

I write backwards-compatible APIs all the time, I've never found any reason to audit the old code for security bugs and then also reproduce them! Seems like a process that is unlikely to actually be taking place.

Honestly, it doesn't sound like you understand what the word "architecture" means in software, and how it compares to the word API.

Re: No way to fix Windows

[mspohr]

APIs are crap if the underlying OS is crap. They just provide more opportunities for attack.
Can't patch up a fundamental architecture failure by putting lipstick on the pig. Microsoft has been doing that for years and it isn't working.

Re:

[Aighearach]

Yep, you don't know what the words mean.

Re:No way to fix Windows

[dnaumov]

Really folks, just choose another OS which was designed from the ground up with security in mind. Linux, Unix, BSD (MacOS).

How delusional must one be to think up something like that? Linux was designed from the ground up to scratch a very particular itch of Linus Torvalds, which has literally nothing to do with security.

Re:

[mspohr]

His "itch" was a multiuser OS so it was designed from the start with security (modeled after Unix)

Re: No way to fix Windows

[boxless]

As was windows. What windows do you think is being used? 3.1? Or 95? No. Itâ(TM)s based on win NT. which was based on OS2 and the main guy who turned it into NT was the guy who wrote VMS. Itâ(TM)s fully multiuser, preemptive multitasking, and has security acls up the wazoo. From the beginning. You can put acls on almost anything if youâ(TM)re so inclined. All while ânix was still playing with the Chmod stuff. Linux and the bsds had that shit bolted on afterward.

Re:

[JThundley]

You can't even type correctly, why should we listen to you?

Re:

[phantomfive]

Linux was designed from the ground up to scratch a very particular itch of Linus Torvalds,

That is completely false. He followed the POSIX design as much as possible.

Re: No way to fix Windows

[boxless]

Oh good grief. Why not look at the pedigree of windows NT and how it was designed. No thought to security? Give me a freaking break.
Vulnerabilities? Sure. Lots. But it was pretty much designed from the ground up with security in mind. It could be locked tighter than a drum, but isnâ(TM)t, because mere mortals are trying to get shit done and donâ(TM)t think.

Re:

[mspohr]

The basic problem is that Windows is saddled with legacy "compatibility" to "get stuff done". This opens up lots of opportunities for exploits. They can't remove this stuff as it will break a lot of applications.

Re:

[bloodhawk]

So how come you have enough knowledge to get this part right while at the same time posting a heap of pig shit in your first post?

Re: No way to fix Windows

[mspohr]

I seem to have triggered a bunch of Windows fanboys. Sorry to have offended you but you really should consider the points I have raised.

Re:

[bloodhawk]

No you seem to have triggerred a heap of people that despise ignorance, which you are full of, seriously go read up the origins of NT,

Re:

[Megane]

PowerShell was first released in 2006. As in brand new, with nothing that they were cobbling together from legacy code. Are you telling me that we didn't have "networks, multiple users etc." in 2006?

Re: No way to fix Windows

[mspohr]

The problem (same as all of Windows problems) is that it relies on the poor underlying architecture of the core OS. It just opens up new avenues of attack. This defect is highlighted by TFA.

PowerShell...

[know-nothing cunt]

Henceforth to be known as PowersHell.

powershell on linux

[jmccue]

I wonder what surprises wait people who took the bait and installed powershell on Linux ?

https://docs.microsoft.com/en-... [microsoft.com]

I never used it and never saw in in action, but I knew enough to stay as far away from it as possible. For people who did did install it, between all the 'fun' breaches on M/S software lately, I wonder how many are looking at a rebuild.

Re:

[PPH]

installed powershell on Linux

I don't know how that would differ from something like bash, csh, ksh. All shells, all scriptable. But since they run on various flavors of *NIX, not terribly dangerous. As long as one doesn't do their day to day work logged on as root.

That said, it wouldn't surprise me if Microsoft's installation set PowerShell up as setuid. If so, people who use it deserve all the hell it will produce.

Re:

[Entrope]

Windows doesn't have an equivalent of the setuid bit. It has a "Run as..." ability, but that requires a password or similar login credentials. There are also other mechanisms, such as User Account Control (UAC), that limit how programs running with administrator privileges (when started by an admin account) can communicate with unprivileged processes.

Re:powershell on linux

[Luthair]

Yea I think this is the point that others are missing - I imagine for *nix systems shell scripts, perl or python which are available by default in virtually every system are abused in a similar way by attackers.

While it may make sense for most users to remove or disable powershell, if enough people are doing that then attackers will simply switch to other tools that are available on the system.

Re:

[bloodhawk]

This story isn't about problems with powershell. If anything it actually screams how good powershell is. The hackers are not "exploiting" it, they are using it as a tool post exploit to get the job done or to execute their exploits when it is available. No different to running it in Bash, they aren't bypassing Powershell security controls.

Powershell

[ArchieBunker]

Does anyone routinely use powershell interactively? The few times I have used it the commands seemed overly verbose and reminded me a lot of OpenVMS.

Re:

[rduke15]

I have vaguely tried to use it a few times, but was also annoyed by it's verbosity and general weirdness. If I need to do something on Windows that is too complex or unpractical for cmd.exe (which is most things, actually), I usually end up starting Ubuntu in WSL and doing it Bash or Perl.

Re: Powershell

[boxless]

Another good grief. There are a few syntactical oddities, but in general itâ(TM)s phenomenal. What I can accomplish via one liners is amazing. Think of Unix one liners, but the bits moving through the pipeline arenâ(TM)t necessarily text (though they could be), but are often times objects. And the exes on the pipeline usually know what to do with the object given to them. And when they donâ(TM)t, they tell you so.

Re: Powershell

[aRTeeNLCH]

Agreed that it can be powerful. However, the object oriented nature dawned upon me when I practically put the network on halt just by doing a rename, the whole files were passed back and forth on the network. Sure, beginner error, but far from nice. Power shell isn't the windows equivalent of Bash. It's wildly different, and I agree it can be very powerful. Or, as with me, it can be the lit match to see how many sticks of dynamite are really lying all around in this here abandoned mine...

Re:

[phantomfive]

It's good for administering Windows software. It has great integration with the MS suite of tools. Extensibility isn't so great, though.

Great!

[Randseed]

Another reason for the mind-numbed to disable Win+R to execute a run command so I have to navigate a bunch of menus instead of taking 1.5 seconds to type Win+R and "calc" to get a calculator.

Don't blame the tools. Blame yourselves.

[cheetah_spottycat]

No, dual-use tools are not the primary threat, dear cisco. FUCKING EXPLOITS IN YOUR FUCKING GEAR ARE. Blaming the tools for exploits is like saying that screwdrivers are the number one primary threat in home burglary cases, because that's how most unsafe windows are opened.

Re:

[bn-7bc]

Cisco used to suffer from a huge monolithic code base, with evry feature any one ever needed for any possible edge case. This did nor, as you might have guessed, lead to the most stable bug free or secure code ever

Call Me Skeptic

[lsllll]

First of all, this seems like a marketing ploy to get people to buy into Cisco Secure Endpoint. But, past that, I find it hard to believe that there are as many holes as they say (>33%) in a non-escalated process. Microsoft has patched all known bypasses of UAC. Is Cisco saying they know of new ones that MS hasn't patched yet?

Re:Call Me Skeptic

[clovis]

First of all, this seems like a marketing ploy to get people to buy into Cisco Secure Endpoint. But, past that, I find it hard to believe that there are as many holes as they say (>33%) in a non-escalated process. Microsoft has patched all known bypasses of UAC. Is Cisco saying they know of new ones that MS hasn't patched yet?

I'm with you on this.
For one thing Powershell's execution policy is set to Restricted by default on Windows client computers, which means almost every computer on the planet cannot run Powershell.

Re:

[vrt3]

What? Every computer can run Powershell. It's just a command interpreter.

Restricted does *not* mean that Powershell can't run; it only means Powershell won't execute scripts. Which is not even meant as a security system, as Microsoft's own documentation says: it's only meant so anyone can set basic rules and prevent accidentally violating those.

Re:

[clovis]

What? Every computer can run Powershell. It's just a command interpreter.

Restricted does *not* mean that Powershell can't run; it only means Powershell won't execute scripts. Which is not even meant as a security system, as Microsoft's own documentation says: it's only meant so anyone can set basic rules and prevent accidentally violating those.

good point and bad writing by me. Here's an updated statement:
I'm with you on this.
For one thing Powershell's execution policy is set to Restricted by default on Windows client computers, which means almost every computer on the planet cannot run Powershell scripts.

Misleading headline?

[munch117]

Something tells me this is really about powershell being used as the implementation language for the attack payload. Not about vulnerabilities in powershell itself or in programs written in powershell.

Which means powershell is not the source of any threats.

Re: Misleading headline?

[boxless]

Amen. My thought exactly.

Re:

[clovis]

Something tells me this is really about powershell being used as the implementation language for the attack payload. Not about vulnerabilities in powershell itself or in programs written in powershell.

Which means powershell is not the source of any threats.

Yep, totally agree.

Quote from the article:
"The top category of threats detected across endpoints by Cisco Secure Endpoint was dual-use tools leveraged for exploitation and post-exploitation tasks. PowerShell Empire, Cobalt Strike, PowerSploit, Metasploit and other such tools have legitimate uses, Cisco noted in the report, but they’ve become part of the attacker toolkit too."

Thanks to this article, we now know that letting other people run pen-testing tools on it is a bad idea.

This article is more of

Re:

[bloodhawk]

It is just Cisco trying to push their garbage security products, which in themselves are huge threat to an efficient operating environment.

Re:

[geekmux]

Which means powershell is not the source of any threats.

Which means guns are not the source of any threats.

So, why do we ban guns again?

Re:

[Kryptonut]

Careful, you'll upset the anti-MS crowd who know nothing about exploitation vs post-exploitation.

No admin for you!

[jhylkema]

This is why you don't let every Tom Dick and Harry have admin rights to their box. Thing is, many admins do just that. And that makes my job so much easier.

Re:

[Kryptonut]

Agreed. And in saying that, I'd blame the admins poor practices, not the technology itself.

Unsurprising really

[DrXym]

Powershell is a shell after all so it is a convenient way to run anything on the OS. It's certainly easier than it would be to do the same in cmd.exe although I think Powershell blows compared to bash.

However if you are not

[Growlley]

Americian, the nsa or cisco . Cisco is a major threat in it's own right,