The Trickbot malware that targets bank customers. Password harvesters like Mimikatz. "Fileless malware" attacks. All three are popular hacking tools and techniques, but they're unconnected except for one trait: They all rely in part on manipulating a Windows management tool known as PowerShell to carry out their attacks.

Long a point of interest for security researchers, PowerShell techniques increasingly pop up in real-world attacks. Last year, well over a third of the incidents assessed by security firm Carbon Black and its partners involved some sort of PowerShell component. But as network defenders catch on to Microsoft's recent release of additional PowerShell protections, the attack sequences that exploit PowerShell are finding some long-overdue resistance.

Shell Shock

A shell is an interface, often a simple command line, for interacting with an operating system. PowerShell specifically also includes a scripting language, and helps system administrators automate tasks across their networks, configure devices, and generally manage a system remotely. A framework like PowerShell has several network security benefits, because it can facilitate tedious but necessary tasks, like pushing updates and configuration improvements across a large number of devices.

But the same qualities that make PowerShell versatile and and easy to use—it sends trusted commands to devices throughout a network—also make it an appealing tool for attackers.

When Microsoft first developed PowerShell for release in 2006, it immediately recognized the framework's potential security implications. "We absolutely knew that PowerShell was going to be [appealing]. Attackers have job satisfaction as well," says Lee Holmes, the principal software design engineer for PowerShell and the lead security architect for the Azure Management Group at Microsoft. "But we’ve been laser-focused on PowerShell security since the very first version. We’ve always approached this in the context of larger system security."

Outside observers picked up on those potential pitfalls as well. Companies like Symantec focused on PowerShell's potential ability to directly propagate viruses throughout a network. Before it was even officially released, though, Microsoft took steps to make it much more difficult for attackers to so directly hijack the framework through precautions like placing restrictions on who could initiate what commands and requiring script signing by default—the process of adding digital signatures to validate that a command is legitimate, so attackers can't just freely input anything they want. But while PowerShell's initially limited distribution made it less of a hacker target at first, its popularity exploded after Windows began shipping it standard with Windows 7 in 2009. Microsoft even made it an open source tool as of last year.

"We will be the first ones to admit the usefulness and power of PowerShell in a positive manner. The ability to perform advanced tasks on Microsoft-based operating systems is a huge leap forward," penetration testers and researchers David Kennedy and Josh Kelley wrote in the first DefCon security conference talk about PowerShell, back in 2010. But "PowerShell also gives hackers a full-fledge programming and scripting language at their disposal on all operating systems by default ... [which] does pose significant security risk."

Domino Effect

Microsoft's security precautions prevented hackers from using PowerShell for total takeovers, but attackers increasingly found that they could use it for certain attack steps, like remotely adjusting the settings on a particular device, or initiating a malicious download, even if they couldn't rely on PowerShell to do everything. For example, the Odinaff hacker group leveraged malicious PowerShell scripts as part of its rash of attacks on banks and other financial institutions last year. And the popular "W97M.Downloader" Microsoft Word macro trojan uses PowerShell tricks as well to spread malware.