{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1059/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["attack.execution","attack.t1059"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers often leverage script interpreters like cscript.exe, wscript.exe, mshta.exe, and powershell.exe to execute malicious code. This activity becomes more suspicious when these interpreters are launched from directories referenced by environment variables commonly associated with temporary storage, such as %TEMP%, %PUBLIC%, or within user profile directories like Favorites or Contacts. This behavior is often indicative of malware attempting to evade detection by residing in locations less scrutinized by security tools. Such techniques are employed to execute malicious scripts downloaded from the internet or dropped by other malware components. This behavior has been linked to threat actors such as Shuckworm, known for targeting Ukraine with military-themed lures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user downloads a malicious file (e.g., a document or executable) from the internet or receives it via email.\u003c/li\u003e\n\u003cli\u003eThe malicious file, upon execution, drops a script file (e.g., VBScript, JavaScript, PowerShell script) into a temporary directory like C:\\Users\\Public\\ or C:\\Users\u0026lt;username\u0026gt;\\AppData\\Local\\Temp.\u003c/li\u003e\n\u003cli\u003eThe dropped script uses obfuscation and/or encoding techniques to avoid static analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script interpreter (cscript.exe, wscript.exe, mshta.exe, powershell.exe) to run the malicious script from the temporary directory. The command line often includes bypass flags such as \u003ccode\u003e-ExecutionPolicy Bypass\u003c/code\u003e or \u003ccode\u003e-w hidden\u003c/code\u003e to evade security controls.\u003c/li\u003e\n\u003cli\u003eThe script interpreter executes the malicious code, which may involve downloading additional payloads, establishing persistence, or performing lateral movement.\u003c/li\u003e\n\u003cli\u003eThe malicious script may modify registry keys to establish persistence by adding a run key or scheduled task.\u003c/li\u003e\n\u003cli\u003eThe script may attempt to connect to command-and-control (C2) servers to receive further instructions and exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective may include data theft, system compromise, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code, system compromise, and data exfiltration. Depending on the attacker\u0026rsquo;s objectives, the impact can range from data theft to full system control and ransomware deployment. The exploitation of scripting engines can bypass application control policies and other security measures, leading to widespread infection and significant disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Script Interpreter Execution From Suspicious Folder\u0026rdquo; to your SIEM to detect suspicious script execution from temporary directories.\u003c/li\u003e\n\u003cli\u003eReview and tune the filters in the Sigma rule for your environment to reduce false positives, especially related to software installation processes.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell execution policies and restrict script execution to signed scripts only to prevent the execution of unsigned malicious scripts.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of script interpreters from untrusted locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-susp-script-exec/","summary":"Adversaries may execute script interpreters such as cscript, wscript, mshta, or powershell from suspicious directories accessible via environment variables to evade detection and execute malicious scripts.","title":"Suspicious Script Interpreter Execution from Environment Variable Folders","url":"https://feed.craftedsignal.io/briefs/2024-01-susp-script-exec/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.t1059","version":"https://jsonfeed.org/version/1.1"}