In March 2016, security experts warned that PowerShell had been fully weaponised. In the following month, a report confirmed that PowerShell was used to launch 38% of cyber attacks seen by security firm Carbon Black and its partners in 2015.
Now more than 95% of PowerShell scripts analysed by Symantec researchers have been found to be malicious, with 111 threat families using PowerShell.
Malicious PowerShell scripts are on the rise, as attackers are using the framework’s flexibility to download their payloads, traverse through a compromised network and carry out reconnaissance, according to Candid Wueest, threat researcher at Symantec.
“This shows that externally sourced PowerShell scripts are a major threat to enterprises,” he wrote in a blog post.
The researchers also found that many targeted attack groups use PowerShell in their attack chain because it provides easy access to all major functions of the Microsoft Windows operating system.
PowerShell is also attractive to attackers because it is installed by default on computers running Windows and leaves few traces for analysis. This is because the framework can execute payloads directly from memory.