Responding to PowerShell Attacks

PowerShell has become such a ubiquitous tool, that it is found in all Windows environments spanning from personal computers to large corporate networks. It offers an interactive, object-oriented shell ported to the .NET Framework, [1] which makes it different from other text-based shells. It facilitates the administration of very large corporate networks, allowing administrators to seamlessly issue commands remotely on other computers. Complemented with Windows Management Instrumentation (WMI), PowerShell is an even greater asset: it gives access to every imaginable resource on a device and across the network. Having become such an established tool, it is installed by default on all modern Windows operating systems.

Just as PowerShell gained its popularity, fileless malware has become a trend in modern day cyber attacks. Unlike traditional malware, which requires that malicious programs are installed on the target machine prior to execution, fileless malware often exploit already installed tools [2]. Furthermore, payloads are directly loaded and executed into memory and never touch the disk. Hence, the only evidence lives for a very short time in memory.

This project focuses on investigating WMI attacks through PowerShell in an incident response scenario. PowerShell and WMI being both whitelisted [3] by conventional anti-malware tools, and also promoting stealth, have become an attacker’s favourite. PS- Investigate, the designed memory forensics solution, is based on the study of the underlying Component Object Model (COM) objects produced by the WMI activity. It provides an acquisition solution, depicted in Figure 1 as part of PS-Investigate, which dumps a sample of PowerShell’s memory containing the studied artifacts. The dumping is narrowed down by first locating the sections in memory where the said objects reside, and then using two specific trigger points to invoke the dumping procedure. This also helps in keeping the dump size as small as possible.

The analysis stage then makes use of an observed pattern to extract the useful information. The results achieved by PS- Investigate are comparable to the results obtained by the Event Tracing for Windows (ETW). PS-Investigate, though, enjoys a reduced Trusted Computing Base (TCB), making it more secure and reliable. Although some overhead is introduced, its results provide a good level of information, even when compared to ETW.

Figure 1. PS-Investigate


[1]         Getting started with windows powershell — microsoft docs. started/getting-started-with-windows-powershell?view=powershell-6, 2017. Accessed: 2019-06-5.

[2]         S. Mansfield-Devine. Fileless attacks: compromising targets without malware. Network Security, 2017(4):7–11, 2017.

[3]         S. M. Pontiroli and F. R. Martinez. The tao of .net and powershell malware analysis. In Virus Bulletin Conference, 2015.

Student: Neil Sciberras
Supervisor: Dr Mark Joseph Vella
Course: B.Sc. (Hons.) Computing Science