Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

Lower Risk of PowerShell Vulnerabilities with Privilege Management


Written by Dan Ritch

November 28th, 2018

PowerShell and other scripting tools are part of an IT professional’s arsenal. They are incredibly powerful, a force multiplier which allows you to automate important or frequently used tasks. The same traits that make these tools a boon for IT pros also make them valuable to malicious actors who can use them to exponentially increase their reach within an organization.  

Allowing too many people in your organization to run Powershell scripts could expose your infrastructure to a fileless-malware infestation

The average user in your organization does not need to run Powershell scripts. Allowing a large number of people in your organization to run these types of scripts could expose your infrastructure to both a traditional and fileless-malware infestation.   

How Fileless Malware Penetrates Your Systems  

Fileless malware can be delivered or initiated using the same methods as file-based intrusions: email attachments or malicious web links. For example, a legitimate-looking Word document which is reviewed and approved by a virus scanner might in fact contain a PowerShell script which will automatically execute. Or a rogue web link, when clicked, could spawn a script which downloads and runs commands directly in memory, so there is no actual file to be scanned, again bypassing a critical line of defense.  

These scripts could then perform any number of actions, such as downloading an additional payload which bypasses security, uploading detailed information about the compromised system to the attacker, or making permanent changes to a machine’s registry, which would then be difficult to detect or eradicate. 

Common Prevention Methods Don’t Prevent Fileless Malware  

File scanning technologies like anti-virus are a well-proven first line of defense for preventing cyber criminals from hacking into your infrastructure. But how do you prevent and contain threats which are not captured by anti-virus software, such as threats propagated through fileless-malware? Once such a threat has bypassed your perimeter security, you need to rely on other detection mechanisms while also minimizing the attack surface. 

Since, as the name implies, fileless malware is not stagnant within a file stored on a server, but is instead executed directly in the system’s memory, it could be removed from a machine by simply rebooting it. But, because scripts can be used to modify a system’s registry, malicious code could be permanently embedded within the registry, free to respawn each time the system reboots, while remaining nearly invisible. It’s a horror story worthy of Hollywood and a security professional’s nightmare. 

How Can You Stop Fileless Malware Attack? 

You must take a layered security posture combining multiple techniques. This could involve anti-virus and file-based scanning in conjunction with behavior monitoring and strict enforcement of least privilege. 

Reduce your attack surface to minimize your risk

The threat is real, and once this type of attack has resulted in successful infiltration, one of the best ways to defend against it is to minimize the potential damage. Minimize the resources that a person or server has access to and enforce least privilege broadly across your organization. Doing so reduces your attack surface significantly.  

You can also use a tool like Thycotic Privilege Manager to actively monitor “dangerous applications” – PowerShell, command prompt, wscript, cscript. By creating a “Dangerous Application Policy” you can specify which scripts are permissible for which users and even reference a whitelisted library of safe scripts which can be executed by users who don’t usually have high enough privileges to run scripts in general (the scripts themselves can be run with higher privileges than the user running them).  

By taking this approach, you limit who has access to these powerful tools and restrict how they are used, greatly reducing the attack surface. 

Also, with the dangerous script policy enabled, Privilege Manager can monitor if such a script was executed, and by whom. It also allows you to cordon off usage to particular machines, to groups of users, or to specific users. When a user logs in using their own account, their personalized policy will be enforced. (Which is yet another reason why all users should log in using their own accounts, and not a shared admin account.)  

Locking down who can execute these scripts and limiting their reach reduces the threat not only from external bad actors, but also from insiders. Combine this with active monitoring of who, or which, applications are launching scripts, and your security team will be able to assess and address threats quickly and accurately.  

Privilege Manager

Implementing least privilege needn't be hard.

Privilege Manager makes least privilege adoption easy for users and reduces the workload for IT/desktop support.