PowerShell has gained considerable attention over the past few years in response to increased task automation in the Windows environment.
PowerShell has gained considerable attention over the past few years in response to increased task automation in the Windows environment. Regardless of PowerShell’s capability to address administrators’ day-to-day operations, it is widely used for penetration testing and even attacking purposes. Specifically designed post-exploitation attacks and payloads by utilizing PowerShell are difficult to prevent on the condition thatas the attackers gain privilege accounts. All protections ranging from the control on Execution Policy, Constrained PowerShell to customize the remote endpoints, AppLocker to allow or deny applications from running, to the control of objects with PSLockdownPolicy in PowerShell V3 could be, in some ways, tampered or bypassed to run malicious PowerShell script.
Security monitoring by enabling subtle details in PowerShell Event Logs is able to collect useful information when PowerShell is called, but attackers could find a way to alter or disable those legitimately. So far no major study exists to corroborate such a conclusion on about the defense against PowerShell attacks in this condition. Until such a study is undertaken or a new feature is introduced, we have built a PowerShade platform, a prototype in python script to observe, capture, and neutralise PowerShell post-exploitation attacks.