|Tactic||Defense Evasion, Execution|
|Platform||Linux, macOS, Windows|
|Data Sources||Process monitoring, File monitoring, Process command-line parameters|
|Defense Bypassed||Process whitelisting|
Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit1, Veil2, and PowerSploit3 are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell.4
- APT1 has used batch scripting to automate execution of commands.5
- APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke, as well as to evade defenses.67
- APT3 has used PowerShell on victim systems to download and run payloads after exploitation.8
- APT34 has used .bat and .vbs scripts for execution.9
- BRONZE BUTLER has used VBS, VBE, and batch scripts for execution.10
- Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.4
- Dragonfly used various scripts for execution, and was observed installing Python 2.7 on a victim.11
- FIN10 has executed malicious .bat files containing PowerShell commands.12
- FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.13
- FIN6 has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener. FIN6 has also used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.14
- Gamaredon Group has used various batch scripts to establish C2, download additional files, and conduct other functions.15
- Magic Hound malware has used .vbs scripts for execution.16
- OilRig has used various types of scripting for execution, including.17
- Stealth Falcon malware uses PowerShell and WMI to script data collection and command execution on the victim.18
- Cobalt Strike can use PowerSploit or other scripting frameworks to perform execution.19
- One version of Helminth consists of VBScript and PowerShell scripts. The malware also uses batch scripting.20
- MoonWind uses batch scripts for various purposes, including to restart and uninstall itself.21
- SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.6
Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell.
Scripting may be common on admin, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.
- Metasploit. (n.d.). Retrieved December 4, 2014.
- Veil Framework. (n.d.). Retrieved December 4, 2014.
- PowerSploit. (n.d.). Retrieved December 4, 2014.
- Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
- Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
- US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
- FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
- Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
- FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
- Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018.
- Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
- Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.