91% of critical incidents involve known, legitimate binaries like PowerShell

Minimalist · Jun 28, 2018

Opportunistic threat actors are leveraging trusted tools, like PowerShell, to retrieve and execute malicious code from remote sources. According to eSentire, 91% of endpoint incidents detected in Q1 2018 involved known, legitimate binaries, such as PowerShell or mshta.exe.
Click to expand...

https://www.helpnetsecurity.com/2018/06/28/incidents-legitimate-binaries/

Minimalist · Feb 26, 2019

For many crooks, malware is out and PowerShell attacks are in, IBM says

Digital thieves are ditching traditional forms of cybercrime in favor of more subtle techniques that apparently help them avoid detection, IBM says.
Click to expand...

https://www.cyberscoop.com/powershell-attacks-cybercrime-ibm-xforce-report/

itman · Feb 26, 2019

Minimalist said: ↑

For many crooks, malware is out and PowerShell attacks are in, IBM says
Click to expand...

IBM missed a couple of additional SysInternals tools that are often used maliciously. In addition to PsExec, PsLoggedOn and ProcDump can also be used for remote execution, interactive logon enumeration, and dumping of credentials within lsass.exe address space respectively.

itman · Feb 26, 2019

Also of note is how Powershell scripts can be run without using PowerShell: https://safe-cyberdefense.com/malware-can-use-powershell-without-powershell-exe/ . One of these uses Win LOL methods which was used in a recent Edge bypass: https://www.bleepingcomputer.com/ne...for-microsoft-edge-remote-code-execution-bug/

guest · Mar 27, 2019

Hackers Are Loving PowerShell, Study Finds
March 27, 2019
https://www.securityweek.com/hackers-are-loving-powershell-study-finds

PowerShell is by far the most prevalent MITRE ATT&CK technique, being detected twice as often as the next most common technique, says a new report from cybersecurity firm Red Canary.

The reason PowerShell is so prevalent is quite clear: it has been included in essentially every Windows operating system by default for a decade, provides access to Windows API, and is rarely constrained, thus allowing adversaries to perform administrative and automation tasks without risking being blocked.
The open-source and cross-platform availability of PowerShell has resulted in the creation of tools capable of building payloads to target Windows, macOS, and Linux in new, unpredictable ways, the report (PDF) points out.
Click to expand...

Log in or Sign up

91% of critical incidents involve known, legitimate binaries like PowerShell

Minimalist Registered Member

Minimalist Registered Member

itman Registered Member

itman Registered Member

guest Guest

Log in or Sign up

91% of critical incidents involve known, legitimate binaries like PowerShell

Minimalist Registered Member

Minimalist Registered Member

itman Registered Member

itman Registered Member

guest Guest

Useful Searches