{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/script-execution/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Citrix System32","MSACCESS.EXE","GTInstaller","Elastic Defend","SentinelOne Cloud Funnel","Microsoft Defender XDR","Crowdstrike FDR","Elastic Endgame"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","script-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Citrix","Quokka.Works","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies the execution of scripts via HTML applications, leveraging Windows utilities like \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003emshta.exe\u003c/code\u003e. Attackers often use this method to bypass process and signature-based defenses by proxying the execution of malicious content through legitimate, signed binaries. The detection focuses on specific command-line arguments and patterns associated with this technique, while also excluding known legitimate uses by applications such as Citrix System32 (\u003ccode\u003ewfshell.exe\u003c/code\u003e), Microsoft Access (\u003ccode\u003eMSACCESS.EXE\u003c/code\u003e), and Quokka.Works (\u003ccode\u003eGTInstaller.exe\u003c/code\u003e). This technique is used by attackers to execute malicious scripts without directly running them, thus evading traditional security measures. The detection rule analyzes process names, command-line arguments, parent processes, and file paths to identify potentially malicious activity indicative of defense evasion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through various means (e.g., phishing, drive-by download).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a malicious HTML application (HTA) file or a scriptlet (SCT) file.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003emshta.exe\u003c/code\u003e or \u003ccode\u003erundll32.exe\u003c/code\u003e to execute the malicious HTA or SCT file. The command line includes obfuscated or encoded script content.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emshta.exe\u003c/code\u003e or \u003ccode\u003erundll32.exe\u003c/code\u003e process spawns a child process, such as \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e, to execute further commands.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes malicious code, such as downloading and executing a payload.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by modifying registry keys or creating scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement by exploiting vulnerabilities or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe final objective is achieved, such as data exfiltration, ransomware deployment, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to compromise the system, steal sensitive data, deploy ransomware, or establish a persistent foothold. Due to the nature of the technique, it can bypass many traditional security measures. The wide adoption of Windows and the inherent trust placed in signed binaries makes this a potent evasion technique. Failure to detect and prevent this attack can lead to significant financial and reputational damage for the targeted organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Script Execution via Microsoft HTML Application\u0026rdquo; to your SIEM to detect suspicious \u003ccode\u003emshta.exe\u003c/code\u003e and \u003ccode\u003erundll32.exe\u003c/code\u003e executions. Tune the rule by adding exceptions for known legitimate uses in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the visibility required for the Sigma rules to function correctly.\u003c/li\u003e\n\u003cli\u003eMonitor process command lines for suspicious arguments like \u0026ldquo;script:eval\u0026rdquo;, \u0026ldquo;WScript.Shell\u0026rdquo;, and \u0026ldquo;mshta http\u0026rdquo; which are indicative of this technique.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003emshta.exe\u003c/code\u003e and \u003ccode\u003erundll32.exe\u003c/code\u003e where they are not required for legitimate business purposes.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any identified malicious HTA files or scriptlet URLs found in the command lines of detected processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-script-execution-via-html-app/","summary":"Detects the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe to bypass defenses by proxying execution of malicious content with signed binaries.","title":"Script Execution via Microsoft HTML Application","url":"https://feed.craftedsignal.io/briefs/2024-01-script-execution-via-html-app/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["execution","script-execution","malware"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to execute malicious scripts from suspicious directories or folders accessible by environment variables. This technique leverages script interpreters such as \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, and \u003ccode\u003epowershell.exe\u003c/code\u003e to run scripts from locations like the Temp directory, the Public user folder, or other user profile directories. The use of these locations can help attackers evade detection, as security tools may not thoroughly inspect files executed from these typically benign locations. This activity has been associated with threat actors such as Shuckworm, known to target Ukraine military.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eA malicious script is dropped into a suspicious folder such as \u003ccode\u003eC:\\Users\\Public\\\u003c/code\u003e, \u003ccode\u003e%TEMP%\u003c/code\u003e, or \u003ccode\u003eC:\\Users\\\u0026lt;username\u0026gt;\\AppData\\Local\\Temp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, or \u003ccode\u003emshta.exe\u003c/code\u003e to execute the dropped script. The command line may contain flags to bypass execution policies (e.g., \u003ccode\u003e-ExecutionPolicy bypass\u003c/code\u003e) or hide the window (e.g., \u003ccode\u003e-w hidden\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAlternatively, PowerShell may be invoked with the \u003ccode\u003e-ep bypass\u003c/code\u003e or \u003ccode\u003e-ExecutionPolicy Bypass\u003c/code\u003e flags, along with a command to execute the script located in the temporary folder.\u003c/li\u003e\n\u003cli\u003eThe script executes, performing malicious actions such as downloading additional payloads, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe script may leverage built-in Windows utilities for further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a range of damaging outcomes, including system compromise, data theft, and further propagation of malware within the network. Organizations may experience data breaches, financial losses, and reputational damage. The compromise of systems can also disrupt business operations and require extensive recovery efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eScript Interpreter Execution From Suspicious Folder\u003c/code\u003e to your SIEM to detect suspicious script executions.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events with a focus on script interpreters (\u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) executing from suspicious directories, using the \u003ccode\u003elogsource\u003c/code\u003e and \u003ccode\u003edetection\u003c/code\u003e sections of the Sigma rule as a guide.\u003c/li\u003e\n\u003cli\u003eTune the filters in the Sigma rule based on your environment to reduce false positives, as described in the \u003ccode\u003efalsepositives\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview and block any observed malicious command lines containing flags like \u003ccode\u003e-ep bypass\u003c/code\u003e, \u003ccode\u003e-ExecutionPolicy bypass\u003c/code\u003e, or \u003ccode\u003e-w hidden\u003c/code\u003e, as detailed in the \u003ccode\u003eselection_proc_flags\u003c/code\u003e section of the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-suspicious-script-execution/","summary":"Malware may execute scripts from suspicious directories accessible via environment variables using script interpreters like cscript, wscript, mshta, and powershell to evade detection.","title":"Suspicious Script Interpreter Execution from Environment Variable Folders","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-script-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Script-Execution","version":"https://jsonfeed.org/version/1.1"}