News Releases3 min read

Carbon Black United Threat Research Report Reveals How Cyber Attackers Exploit Microsoft PowerShell to Launch Attacks

Report combines data from 28 IR and MSSP partners representing 1,100 investigations and finds PowerShell involved in 38% of incidents in 2015

WALTHAM, Mass.—April 12, 2016—Carbon Black®, a leader in Next-Generation Endpoint Security (NGES), today announced the results from its first Unified Threat Research report, which details how PowerShell, a scripting language inherent to Microsoft operating systems, is being exploited by threat actors to launch cyber attacks.

The report outlines how the Carbon Black Threat Research Team, in conjunction with more than two dozen managed security services provider (MSSP) and incident response (IR) security partners, has increasingly seen PowerShell exploitation during cyber attacks, supporting a growing industry trend of malware authors creatively attempting to evade detection by exploiting native tools on operating systems.

The report (available for download here) reveals some of the techniques attackers are using to leverage PowerShell, how the software is being used, what malicious activities are occurring, and what security professionals can do to battle back.

Among the key findings in this report:

  • 38% of incidents seen by Carbon Black partners used PowerShell.
  • Nearly one-third (31%) of respondents reported receiving no security alerts prior to their investigation of PowerShell-related incidents, indicating that adversaries are successfully using PowerShell to enter and remain undetected in a company’s system.
  • 87% of the attacks leveraging PowerShell were commodity malware attacks such as click-fraud, fake antivirus, ransomware, and opportunistic malware.
  • Social engineering remains the favored technique for delivering PowerShell-based attacks according to interviews with Carbon Black partners.
  • 13% of the attacks involving PowerShell appeared to be targeted or “advanced.”

“PowerShell is a very powerful tool that offers tremendous benefit for querying systems and executing commands, including on remote machines,” said Ben Johnson, Carbon Black’s chief security strategist. “However, more recently we’re seeing bad guys exploiting it for malicious purposes because it falls under the radar of traditional endpoint security products.”

Partners directly interviewed for this report were: BTB Security, EY (formerly Ernst & Young), Kroll, Optiv, Rapid7 and Red Canary. Twenty-eight Carbon Black partners provided details for the survey we conducted in February 2016.

The report details a specific PowerShell-related case study from Red Canary, an MSSP partner. The case study details a recent example of PowerShell being used to steal credentials via reflective DLL injection.

Recently, the Carbon Black Threat Research Team issued a threat advisory on “PowerWare,” a new variant of ransomware that targets organizations via Microsoft Word and PowerShell.

About the Report
In the first quarter of 2016, Carbon Black collaborated with more than two dozen of its IR and MSSP partners to understand how PowerShell is being used for malicious purposes. The data collected comes from direct conversations and a survey, representing more than 1,100 investigations conducted during 2015. The Carbon Black Security Partner Program is the largest of its kind, providing next-generation endpoint security services to countries worldwide. The program includes more than 70 MSSP and IR partners who leverage the Carbon Black Security Platform to help their global customers disrupt, defend and unite in combating today’s new breed of cyber-attacks.

About Carbon Black
Carbon Black leads a new era of endpoint security by enabling organizations to disrupt advanced attacks, deploy the best prevention strategies for their business, and leverage the expertise of 10,000 professionals from IR firms, MSSPs and enterprises to shift the balance of power back to security teams. Only Carbon Black continuously records and centrally retains all endpoint activity, making it easy to track an attacker’s every action, instantly scope every incident, unravel entire attacks and determine root causes. Carbon Black also offers a range of prevention options so organizations can match their endpoint defense to their business needs. Forward-thinking companies choose Carbon Black to arm their endpoints, enabling security teams to: Disrupt. Defend. Unite™.

Carbon Black is a registered trademark of Carbon Black, Inc. All other company or product names may be the trademarks of their respective owners.