Microsoft’s PowerShell is a cross-platform configuration management framework that enables the seamless administration of various managed elements of computing objects. It is most commonly used to automate systems management and to build, test, and deploy solutions in CI/CD environments.

But what does this have to do with pen testing?

And why should pen testers learn about PowerShell?

A client’s IT Administrator recently asked the Packetlabs pen testers these questions, so we decided to create a blog about it! Here we explain why PowerShell is a valuable addition to a pen testing toolkit.

PowerShell: An Effective Threat Vector

It may surprise you to know that PowerShell is very popular with hackers who use it to find security holes in enterprise IT systems. If you’ve read some of our other pen testing blogs, such as this article on pen test reports, you know that finding holes in security systems is what pen testers do as well. So if bad actors use PowerShell to compromise enterprise networks, it makes sense that ethical hackers would use it too.

Bad actors leverage PowerShell to run file-less malware. These non-binary files reside in memory and allow them to inject payloads into running applications or via scripting. The payload delivery scripts are almost always executed since PowerShell is a trusted and widely deployed application. Moreover, PowerShell’s deep Windows integration and ability to access all parts of a host via the .NET framework provide bad actors with the enhanced cover they need to bypass traditional security controls and breach networks.

Real-world Attacks Using PowerShell

PowerShell has been front and center in several real-world attacks in the recent past. In 2016, the Odinaff hacker group attacked multiple financial institutions. Just a year later, PowerShell malware had grown by 432% YoY. The 2017 Equifax breach of customer PII perfectly demonstrated how malicious actors could leverage PowerShell to exploit unpatched vulnerabilities.

In 2018, IBM researchers observed that remote attackers tried to use PowerShell to download malicious content and automatically trigger payload execution to infect target systems. One example of this was Operation Gold Dragon, a malware campaign targeting the 2018 Winter Olympics.

Most recently, in 2021, APT group ZINC targeted threat researchers at security and tech companies. The hackers used a malicious pre-build event with a PowerShell command to launch Comebacker malware and register a malicious service on the target.

But this still doesn’t clarify why pen testers should use PowerShell. Shouldn’t finding its many exploitable security holes be a job for Microsoft’s development team? Packetlabs has the answer for you below.

Why Pen Testers Should Use PowerShell

Pen testing is about ethical hackers thinking like malicious hackers. So if the bad actors use PowerShell to find weaknesses in an enterprise network, pen testers should also do the same.

PowerShell allows administrators to manage enterprise infrastructure with configuration as code. It’s also helpful to extend management capabilities to Active Directory (AD) objects. Unfortunately, attackers can also leverage these same capabilities, say, through a phishing or social engineering attack, to execute disruptive payloads or steal PII data. Even worse, since PowerShell can be used to run file-less malware,  malicious activities are more difficult to detect.

But it’s not all doom and gloom. During a pen test, testers can obtain domain administrative access if insecure AD defaults are in place. But by enforcing Access Control Lists (ACLs) on AD attributes, the org can define which entities have permissions on specific AD objects. This can help lower the risk of attack. And pen testing can help realize this positive outcome. And this is why PowerShell is so valuable for pen testing!

PowerShell is a powerful post-exploitation tool that allows pen testers to explore a large attack surface and exploit many attack possibilities. By understanding PowerShell, they can understand the hacker mindset and subvert it to run malware and stealthily gather enterprise data. They can also explore and examine ways to limit this and other script-based methods of attack. These are some of the critical reasons why Packetlabs pen testers are encouraged to develop their PowerShell expertise. 

Conclusion

In the past decade and a half, PowerShell has become a fundamental element of Windows system software. However, it is also vulnerable to attacks via file-less malware. For each project, the pen testers at Packetlabs undertake a thorough PowerShell analysis to find vulnerabilities that threaten the organization’s security profile and attempt to exploit them to access sensitive information. Based on our findings, we provide practical recommendations that enhance our client’s security. Most traditional pen testers who rely on automated scanning cannot make these claims.

If you have any further questions about PowerShell, please email us at info@packetlabs.net. We also welcome requests for free quotes on our pen testing services. Please click here, and we’ll get in touch with you within 48 hours.