Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Windows 10 Can Detect PowerShell Attacks: Microsoft

Windows 10 can detect suspicious PowerShell activities, code injection, and malicious documents, including attacks where a process connects to a web server and starts dropping and launching an app, Microsoft says.

Windows 10 can detect suspicious PowerShell activities, code injection, and malicious documents, including attacks where a process connects to a web server and starts dropping and launching an app, Microsoft says.

The functionality is integrated into Defender Advanced Threat Protection (Windows Defender ATP), which was released along Windows 10 Creators Update (and built into the core of Windows 10 Enterprise). The security software is also set to receive a series of enhancements in the Fall Creators Update. Courtesy of endpoint sensors built into Windows 10, along with machine learning technologies, Windows Defender ATP relies on a generic stream of behavioral events to improve detection, the tech giant says.

According to Microsoft, a process’ behavior is defined “not only by its own actions but also by the actions of descendant processes and other related processes,” and many of the actions associated with process execution are usually performed by other processes (injected with malicious code) when malware is involved. Thus, Windows Defender ATP incorporates process behavior trees, being able to analyze the actions and behaviors of a process and its descendants, related either through process creation or memory injection.

The use of machine learning helps Windows Defender ATP “generically detect all kinds of advanced attack methods,” and the same technologies are also effective in detecting attacks involving PowerShell scripts, code injection, and polymorphic documents that launch malicious code, the company explains in a blog post.

One of the malicious uses of PowerShell involves performing tasks without introducing malicious binaries, something that signature-based sensors can detect. Because payloads stored in scripts are easier to maintain and modify, PowerShell can prove attractive to malware creators. Leveraging machine learning, Windows Defender ATP can detect suspicious PowerShell behaviors, including those abused in fileless attacks, Microsoft claims.

To remain stealthy, malware such as Kovter also uses in-memory attack methods, thus evading signature-based scanners. For persistency in memory, PowerShell scripts that inject malicious code to other processes are used. Last month, however, Microsoft explained how Windows 10 enhancements provide protections against code injection attacks, including those used by Kovter and Dridex.

The company now says that documents with malicious macros that trigger suspicious PowerShell and Microsoft Word behaviors are also on Windows Defender ATP’s radar. “ML detects this attack method based on behavior signals available only at the time of execution. In contrast, most signature-based technologies are unable to stop this method, which uses the normal processes PowerShell.exe and Winword.exe. Documents themselves are also generally easy to alter for polymorphism,” Microsoft explains.

Windows 10, the tech giant says, can also detect suspicious documents used by Chanitor (also known as Hancitor). All of these security improvements are possible because the company’s tools take advantage of behavior data, collected via sensors built into Windows 10 and converted by Windows Defender ATP into sets of components or features fed to machine learning technologies like process behavior trees.

“The upcoming Fall Creators Update will integrate Windows Defender ATP closely with the rest of the Windows threat protection stack, transforming it into a comprehensive pre- and post-breach protection solution that enables enterprise customers to not only detect and respond to threats on their devices and networks but also to deliver proactive protection,” Microsoft notes.

Related: Windows 10 Boosts Protections Against Code Injection Attacks

Related: Microsoft to Make EMET Native to Windows 10

Related: Microsoft Unveils Windows Defender Security Center

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...