MICROSOFT POWERSHELL is becoming a haven for malicious code, with a 95.4 per cent rise in malware instances, according to Symantec.
As we recently reported, PowerShell is to become the default replacement for the command line function in Windows when the Creators Edition arrives next year. It has already superseded it in Insider builds.
PowerShell is available to all already and has been for around ten years. It is generally activated by default.
The fact that during a sandbox test of 111 threat families, nearly all the analysed scripts were malicious shows what a threat to enterprise the move could potentially be unsafe to businesses.
Symantec advises that sysadmins make sure machines are running the latest version of PowerShell and enable extended logging and monitoring options. They also suggest you buy their stuff, but that was always a possibility.
Among the high profile cases which have involved PowerShell are the Odinaff Groups attacks on financial establishments and the Trojan.Kotver infection was created to infect the registry without using any files.
PowerShell can also be used to uninstall security products, detect sandboxes and sniff passwords.
Symantec says: "PowerShell is installed by default on most Windows computers, and most organisations do not have extended logging enabled for the framework. These two factors make PowerShell a favored attack tool.
"Furthermore, scripts can easily be obfuscated and allow for payloads to be executed directly from memory.”
OpenSSH has been added to bolster security, but because PowerShell is so much more powerful than the old command line, there are a lot more opportunities for mischief. It does, however, form the basis for interoperability between Linux and Windows which has been so visible over the last year or so.
Back in August, a version of Windows 10 which was automatically rolled out to machines actually borked Powershell altogether leaving it inaccessible for a week. µ
The week in Google
The scandal that just keeps giving
Clip to the end....