PowerShellRunBox: Analyzing PowerShell Threats Using PowerShell Debugging

Malicious PowerShell scripts are one of the most prevalent threats these days. There are many APT actors that have used PowerShell as delivery or migration mechanism. Commodity malware has been using PowerShell for a long time too. In many cases, the Office macro malware uses PowerShell script to proceed with their further attacks. MITRE ATT&CK matrix has a good summary of these trends. There are attack kits like PowerShell Empire and PowerSploit that uses PowerShell as main implementation language.

Vulnerability Root Cause Analysis With Time Travel Debugging

There are many ways to find vulnerabilities. One of the most scalable methods is fuzzing. In essence, fuzzing is a brute-forcing. In many cases, malformed input triggers a crash in the program. After you acquire a crash, the next step is understanding the root cause of the crash. Proper RCA (root cause analysis) is essential in understanding the nature of the bug. It helps to determine if the bug is actually an exploitable vulnerability and whether putting additional efforts to develop an exploit for the vulnerability makes sense or not. From the security engineer’s perspective, proper categorization of the vulnerabilities and understanding the nature of bugs is very helpful in establishing their mitigation strategy. Simply put, RCA is the starting point of exploit development and product defense strategy.