Windows Attack Surface Management: Script-based Malware

Key Points

• Scripting languages like PowerShell, JScript, and VBScript are essential for system administration and automation but have become popular tools for cybercriminals due to their powerful capabilities and integration within operating systems.
• PowerShell is one of the most commonly used scripting languages by threat actors. Configuring tailored controls through execution policies and Constrained Language mode can enhance security by restricting specific functions used by malware.
• JScript and VBScript have become popular tools in malware distribution campaigns for gaining initial access. Implementing Windows Defender Exploit Guard (WDEG) with features like attack surface reduction rules, controlled folder access, and network protection can help mitigate these threats.
• Given the evolving nature of script-based threats and their deep integration with critical system processes, organizations must implement tailored security controls beyond default configurations to protect endpoints and reduce attack surface.

In the ever-evolving landscape of cybersecurity, scripting languages such as PowerShell, JScript, and VBScript have emerged as dual-edged swords. While they are indispensable tools for legitimate system administration, web development, and automation tasks, their powerful capabilities also make them attractive to malicious actors. This report will discuss why threat actors use malicious scripts, analyze several popular scripting languages abused by adversaries, and provide actionable recommendations for organizations to harden systems against the misuse of these versatile tools.

Advantages of Script-based Malware

Scripting languages have been a popular way to facilitate the execution of malicious code for years: In 2023, 64.9% of critical security incidents observed by ReliaQuest involved the abuse of command and scripting interpreters.  The prevalence of script-based attacks underscores the critical need to understand what makes them so effective and what defensive measures can help prevent these attacks. Scripting languages provide many advantages for threat actors, including:

1. Prevalence and accessibility: These scripting languages are embedded within all modern versions of Windows. Their ubiquity ensures that attackers have a ready-made execution environment on potential target systems without needing to deliver or install additional software that could be blocked or detected.

2. Stealth and evasion: Script-based malware variants often exhibit a smaller footprint than traditional executable files, making them harder for conventional antivirus solutions to detect. Scripts can be obfuscated, encoded, or delivered in small chunks to evade detection mechanisms. PowerShell and VBScript, for instance, can execute directly from memory without writing to the disk (“fileless” execution), significantly reducing the chances of detection by file-based scanning mechanisms.

3. Versatility and power: These languages provide powerful access to system resources, network interfaces, and user data. PowerShell, for example, has direct access to the .NET framework, allowing attackers to perform complex tasks like network discovery, credential theft, and system manipulation with relative ease.

4. Ease of modification and adaptation: Scripts are relatively easy for attackers to modify, update, or tailor to specific targets or environments. This flexibility allows threat actors to quickly adapt their tactics to evade detection, exploit new vulnerabilities, or target specific systems or applications.

PowerShell

PowerShell is a powerful scripting language and command-line shell developed by Microsoft. It is built on the .NET framework, which makes it a highly versatile and capable tool for performing complex tasks like network discovery, credential theft, and system manipulation. During 2023, ReliaQuest observed the use of PowerShell in nearly a quarter of all critical detections for malware execution.

PowerShell is used by many commercial and open-source offensive security tools as well as custom tools developed by threat actors. Post-exploitation frameworks such as Empire, Nishang, and PowerSploit are based entirely on PowerShell, while several others, including Metasploit and Cobalt Strike, support the use of PowerShell for in-memory execution and various post-exploit actions. FIN7—a financially motivated cybercrime organization affiliated with various ransomware groups including Darkside, REvil, and Clop—has been known to rely heavily on PowerShell in its operations. Many of its custom tools are PowerShell-based.

Given PowerShell’s deep integration into the Windows ecosystem and its powerful capabilities, an attacker could theoretically conduct an entire intrusion solely using PowerShell. It is rare to see an incident in which PowerShell is not used at some stage of the intrusion. The widespread use of PowerShell by threat actors emphasizes the importance of monitoring and controlling its use within organizational networks.

Mitigation and Best Practices

Constrained Language Mode

Constrained Language mode restricts PowerShell’s scripting environment to a subset of its functionality, limiting access to potentially dangerous operations. It prevents the use of certain language elements and object types that could be abused by an attacker. By doing so, it reduces the attack surface available to a malicious script, making it harder for such scripts to execute harmful actions, evade detection, or escalate privileges.

Execution Policies

PowerShell execution policies are designed to control the conditions under which PowerShell scripts are allowed to run. These policies help to prevent the execution of malicious scripts by imposing conditions that help ensure safe script execution. There are several execution policies, including:

• Restricted: The default execution policy on Windows client computers, which prevents any scripts from running.
• AllSigned: Only scripts signed by a trusted publisher can be executed.
• RemoteSigned: The default on Windows server computers. Scripts created on the local machine can be run without being signed, but scripts from the internet must be signed by a trusted publisher.
• Unrestricted: Allows all scripts to run but prompts the user before executing scripts downloaded from the internet.

Combining to Reduce Threats

When used together, Constrained Language mode and execution policies can significantly reduce the threat of malicious PowerShell scripts. However, these features may impact legitimate scripting activities. Organizations should assess their security needs against operational requirements to find a balance that maintains security without unduly hindering productivity.

• Layered defense: By combining Constrained Language mode with a restrictive execution policy (such as AllSigned or RemoteSigned), organizations can implement a layered defense strategy. This approach ensures that only trusted scripts can run and that they do so with limited capabilities.
• Preventing evasion: Malicious scripts often attempt to modify the execution environment to bypass security controls. A strict execution policy can prevent unauthorized changes to the PowerShell environment, including attempts to disable Constrained Language mode.
• Limiting malicious downloads and execution: Constrained Language mode can block scripts from invoking certain .NET methods that could be used to download and execute additional payloads. Combining Constrained Language mode with an execution policy that requires scripts to be signed makes it significantly more difficult for attackers to introduce and execute malicious code.
• Compliance and auditing: Both features can be audited and enforced through Group Policy, allowing organizations to ensure compliance with security policies across their environments. Logs can be monitored for attempts to bypass these controls, providing insight into potential security threats.

What ReliaQuest Is Doing

To identify script-based malware, ReliaQuest offers the detection rules to customers. These rules will alert defenders to suspicious PowerShell execution that could be related to malware. To remediate suspicious activity, associated GreyMatter Respond Plays can be executed by ReliaQuest customers or by the ReliaQuest team on a customer’s behalf.

Threat Forecast

Script-based malware has proven to be particularly effective due to its deep integration with the Windows operating system. Languages like PowerShell, JScript, and VBScript can interact closely with system processes and configurations, enabling attackers to execute complex malicious activities. We predict, with high confidence, that the use of script-based malware will not decrease in the long term. Given this inherent risk, organizations must go beyond default security measures to protect their endpoints. It is essential to implement additional security technologies, such as advanced threat protection solutions, endpoint detection and response (EDR) systems, and custom security configurations tailored to these specific threats.