Ctrl+K

T1216 - System Script Proxy Execution

T1216 - System Script Proxy Execution#

Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.(Citation: LOLBAS Project) This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)

Atomic Tests#

Atomic Test #1 - SyncAppvPublishingServer Signed Script PowerShell Command ExecutionExecutes the signed SyncAppvPublishingServer script with options to execute an arbitrary PowerShell command.#

Upon execution, calc.exe will be launched. Supported Platforms: windows#### Attack Commands: Run with command_prompt

C:\windows\system32\SyncAppvPublishingServer.vbs "\n;Start-Process calc"

Invoke-AtomicTest T1216 -TestNumbers 1

Atomic Test #2 - manage-bde.wsf Signed Script Command ExecutionExecutes the signed manage-bde.wsf script with options to execute an arbitrary command.#

Supported Platforms: windows#### Attack Commands: Run with command_prompt

set comspec=%windir%\System32\calc.exe
cscript %windir%\System32\manage-bde.wsf

Invoke-AtomicTest T1216 -TestNumbers 2

Cleanup:#

set comspec=%windir%\System32\cmd.exe

Invoke-AtomicTest T1216 -TestNumbers 2 -Cleanup

Detection#

Monitor script processes, such as cscript, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.

Shield Active Defense#

Behavioral Analytics#

Deploy tools that detect unusual system or user behavior.

Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system.

Opportunity#

There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors.

Use Case#

A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity.

Procedures#

Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file. Use behavioral analytics to identify a system running development tools, but is not used by someone who does development. Use behavioral analytics to identify abnormal system processes being used to launch a different process.

Contents