Investigating PowerShell Attacks
As is often the case, the increased availability of PowerShell has paralleled the development of research on ways attackers can take advantage of it. During the course of their incident response work at Mandiant, the authors also have observed adversaries increasingly use PowerShell during targeted intrusions.
The goals of this research were to identify the sources of evidence on disk, in logs, and in memory, resulting from malicious usage of PowerShell - particularly when used to target a remote host. Understanding these artifacts can help reconstruct an attacker’s activity during forensic analysis of a compromised system. In addition, they can help analysts recognize the sources of evidence that are suitable for proactive monitoring - both on a single system and at scale - to detect PowerShell attacks.
This paper focuses on forensic analysis and discusses the Windows security controls intended to limit malicious usage of PowerShell, and the authors’ assumptions regarding an attacker’s level of access.