Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2018/
Deadline is 30th June 2018!

<< previous next >>

Good Shell Gone Bad: Identifying Malicious PowerShell

Michael Jay Villanueva & John Kevin Sanchez

0 vote(s)

Windows PowerShell was designed by Microsoft with functionalities adherent to system administrators. It was created to automate complex tasks of administering system resources through execution of commands either directly or by executing scripts. Microsoft intended it to be easy to use for programmers, with the inclusion of an interactive prompt and a scripting environment to be used on its own or together with other scripting languages. It also provides the user a wide range access to the file system and major functions of the Microsoft Windows operating system.

Today, PowerShell caught cybercriminals’ attention due to these powerful capabilities. It became more attractive and easy to use for malicious purposes since it is installed by default on machines running the Windows platform. The earliest attacks only uses PowerShell to download other malware while some macro-based Microsoft Office malware also include execution of the malware’s payload directly using PowerShell. Since these techniques were used by older malware, most cybersecurity vendors can easily provide solutions to these threats.

Now, the malware creators slowly gets creative on using PowerShell for their attacks. We have already seen PowerShell used in fileless attacks with Kovter and Gamarue as prime examples. We also encountered PowerShell scripts executed to inject and run shell codes on normal processes through API hosting. Many malware creators are now realizing the framework’s flexibility by incorporating PowerShell in exploits, lateral movement within the compromised network, and for persistence.

With the rise of such security threats, it is apt that we take focus and try to gain a better understanding of the different kinds of PowerShell threats currently in the wild. We would also explore on other PowerShell functionalities that may be abused by cybercriminals in the future. We will also discuss some of the effective solutions to protect users and organizations from these PowerShell threats.


Michael Jay Villanueva, Threat Analyst & Researcher, Trendmicro

He started out his career in Trend Micro in 2015. He works as a threat analyst and researcher under the Core Technology team. During his career, he was able to analyze different threats, create malware reports and clean-up patterns for customers. He also contributes write-ups to TrendLabs Security Intelligence blog. Currently, he is focused in handling most of the Japan’s in-depth malware analysis request. He loves to sing and play different musical instruments like guitar and drums where he covers songs during his spare time. He also loves traveling and playing computer games. He holds a degree in Computer Science.


John Kevin Sanchez, Threat Research Engineer, Trendmicro

He is a Threat Research Engineer for Trend Micro since 2016. He received his bachelor’s degree in Applied Physics from the University of the Philippines Diliman. His daily tasks include creation of malware reports from analysis of malicious samples. He is also capable of analyzing product logs and providing damage cleanup patterns to infected customers. He also contributes write-ups for TrendLabs Security Intelligence blogs. He is an avid sports fan most especially basketball. His favorite athlete of all time is Kobe Bryant. He enjoys playing video games and watching TV series and movies in his spare time.