Legitimate Application Dropped Script Detection
This brief describes the detection of Living Off The Land Binaries (LOLBINs) and legitimate Windows applications being abused to drop various script files to disk, indicating malware staging or script-based code execution attempts.
This threat brief focuses on a specific technique observed in various attack campaigns where adversaries leverage legitimate Windows applications or Living Off The Land Binaries (LOLBINs) to drop malicious script files onto a compromised system. This technique, often part of the stealth and execution phases of an attack, allows attackers to bypass traditional security controls that might flag direct execution of unknown scripts or executables. The detected behavior involves trusted binaries like certutil.exe, mshta.exe, eqnedt32.exe, or Adobe Acrobat Reader (AcroRd32.exe) creating script files such as .ps1, .vbs, .hta, or .bat. This abuse signifies malware staging, preparation for further execution, or direct command and control activity. Early detection of such activity is crucial as it can indicate an attacker's presence before more overt malicious actions occur.
Attack Chain
The provided source describes a specific detection pattern rather than a multi-stage attack chain. It identifies the misuse of legitimate applications and LOLBINs (e.g., certutil.exe, mshta.exe) to drop script files (e.g., .ps1, .vbs, .hta) onto the disk. This activity typically occurs as an intermediate step within a broader attack, often following initial access and preceding execution or persistence. Therefore, a complete 6-8 step attack chain from initial access to impact cannot be constructed solely from this detection-focused intelligence. This technique itself is a component of execution or defense evasion within a larger adversary's operational framework.
Impact
If this technique goes undetected, it can have severe consequences for an organization. The successful dropping of malicious scripts often signifies an imminent threat, as these scripts are typically used to establish persistence, download additional malware (like ransomware or infostealers), exfiltrate sensitive data, or move laterally within the network. Failure to detect this activity can lead to full system compromise, data breaches, significant financial losses due to ransomware, and reputational damage. While the specific impact depends on the nature of the dropped script, the act of a trusted binary creating an unexpected script is a high-fidelity indicator of malicious intent.
Recommendation
- Deploy the Sigma rule provided in this brief to your SIEM/EDR solution and ensure it is tuned for your environment.
- Enable comprehensive file event logging (e.g., Sysmon Event ID 11 or similar EDR capabilities) on all Windows endpoints to capture
ImageandTargetFilenamevalues necessary for this detection. - Investigate all alerts generated by the "Legitimate Application Dropped Script" rule promptly, as they indicate highly suspicious activity.
- Review and baseline legitimate uses of the applications and file types listed in the detection section (e.g.,
certutil.exe,.ps1files) to reduce false positives in your environment.
Detection coverage 1
Legitimate Application Dropped Script
highDetects LOLBINs and legitimate applications that should not legitimately drop script files to disk, indicating malware staging or abuse for script-based code execution.
Detection queries are available on the platform. Get full rules →