For a long time now, our Threat Analysts have flagged the growing threat of script-based attacks, especially from Microsoft PowerShell and Windows Management Interface script commands, and their ability to escape notice in many antivirus solutions. Increasingly, these types of attacks have become the common standard for gaining entry into corporate systems and moving laterally to inflict damage. Today, we announce several new features to help prevent and detect script abuse, including an extension of our ability to prevent script-based attacks built on AMSI integrations, and the ability to translate the actual contents of obfuscated PowerShell scripts in the Carbon Black Cloud console.
In our current work from home/COVID-19 environment, these script-based attacks continue to grow in size and global spread. Common tools like PowerShell enable attackers to hide their intent behind obfuscated script content, and the resulting lateral movement is facilitated by the abuse of Windows Management Interface (WMI), and Google Drive. According to our latest Incident Response Report, the lateral movement was observed in a third (33%) of today’s attacks.
Detecting Stealthy Script Abuse
To combat this stealthy attack technique, the Carbon Black Cloud has added capabilities that expose the exact commands behind obfuscated PowerShell scripts. By adding this capability directly into our NGAV product console, we’re able to assist less experienced security teams in detecting attacks they may have otherwise missed, as well as accelerate a formerly time-consuming investigation process. This feature also includes new insights on PowerShell scripts for those using older, legacy systems that don’t support AMSI.
Due to the broad usage of PowerShell in enterprise IT environments, many of these obfuscated scripts go unnoticed by EPP solutions because they trigger either no alert or deceivingly low-level alerts. This makes it easy for threat actors to hide nefarious commands. Normally, you would have to copy that script and paste it into an external script translation app that would take you completely out of the context of the attack and offer only limited details around the command line. This entire process could take anywhere from several hours to days to resolve. The ability to translate these obfuscated scripts with a button-click during alert triage or threat hunting will save analysts hours of investigation time, by allowing them to quickly see the code and determine whether the intent is malicious or not immediately.
Preventing Script Abuse Without Decreasing Productivity
Thanks to our Threat Analysis Unit, VMware Carbon Black built prevention rules onto our AMSI inspection capabilities, along with machine learning to translate these previously hidden scripts. Customers can now quickly at the click of a mouse, translate the script in the Carbon Black Cloud dashboard to see the entire decoded script within seconds, along with highlighting of key function calls. This new functionality brings a level of protection and visibility for these advanced attacks rarely seen in endpoint protection platforms, providing customers’ immediate access in-console to the script translation details during both alert triage and threat hunting.
PowerShell alerts are highlighted in the console, showing the reason why a specific script was flagged, and delivering additional context behind the prevention to speed resolution times. When customers investigate the specific details, they can now simply click a button to translate the obfuscated script.
In addition to translating obfuscated scripts, we’ve also improved the readability of PowerShell scripts through syntax highlighting, making it easier for customers to scan for string content vs PowerShell command-lets and function calls while searching for threats.
Working closely with our Threat Analysis Unit, we’ve also expanded prevention capabilities for script-based Windows attacks built on Microsoft AMSI Integrations into our default prevention policy, making it easy for customers using our product to have an effective security posture right out of the box,
VMware Carbon Black’s Threat Analysis Unit updated the default policy to include additional granularity for frequently used off-the-shelf attacker frameworks seen regularly in script-based attacks. These updated rules offer high-fidelity prevention for script-based attacks that decrease false positives and take the strain off already resource-deficient security teams. These updated preventions are available upon download of our latest Windows sensor 3.6 coming out this week.