PowerShell is available as a script environment on all Windows systems and is not only popular with administrators. Attackers also appreciate PowerShell to run malicious scripts in Windows environments.
Advertising
When evaluating security incidents at customers, security researchers at Red Canary found that PowerShell was at the top of the list of cybercriminal preferences. This is the conclusion of Hackers Are Loving PowerShell, Study Finds.
Data collected from 10,000 confirmed attacks shows that PowerShell, Scripting, Regsvr32, Connection Proxy, Spearphishing Attachments and Masquerading were the most common techniques. The most commonly used attack technique is PowerShell, and the reason is clear. PowerShell has been standard on virtually every Windows operating system for a decade. PowerShell provides access to the Windows API and is rarely restricted, so attackers cannot perform management and automation tasks.
Attackers can use PowerShell to control the execution of a local script, retrieve and run remote resources using various network protocols, encode payloads passed from the command line, or load PowerShell into other processes.
Easily available PowerShell libraries allow deployments to take full advantage of PowerShell functionality in any process. PowerShell's open source and cross-platform availability has also led to the development of tools that are capable of creating malicious code for Windows, macOS, and Linux. More details can be found in Hackers Are Loving PowerShell, Study Finds.
