https://feed.craftedsignal.io/tags/script-execution/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 15:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-script-execution-via-html-app/Wed, 03 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-script-execution-via-html-app/Detects the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe to bypass defenses by proxying execution of malicious content with signed binaries.This detection identifies the execution of scripts via HTML applications, leveraging Windows utilities like rundll32.exe or mshta.exe. Attackers often use this method to bypass process and signature-based defenses by proxying the execution of malicious content through legitimate, signed binaries. The detection focuses on specific command-line arguments and patterns associated with this technique, while also excluding known legitimate uses by applications such as Citrix System32 (wfshell.exe), Microsoft Access (MSACCESS.EXE), and Quokka.Works (GTInstaller.exe). This technique is used by attackers to execute malicious scripts without directly running them, thus evading traditional security measures. The detection rule analyzes process names, command-line arguments, parent processes, and file paths to identify potentially malicious activity indicative of defense evasion.

Attack Chain

1. An attacker gains initial access through various means (e.g., phishing, drive-by download).
2. The attacker leverages a malicious HTML application (HTA) file or a scriptlet (SCT) file.
3. The attacker uses mshta.exe or rundll32.exe to execute the malicious HTA or SCT file. The command line includes obfuscated or encoded script content.
4. mshta.exe or rundll32.exe process spawns a child process, such as cmd.exe or powershell.exe, to execute further commands.
5. The spawned process executes malicious code, such as downloading and executing a payload.
6. The attacker achieves persistence by modifying registry keys or creating scheduled tasks.
7. The attacker performs lateral movement by exploiting vulnerabilities or using stolen credentials.
8. The final objective is achieved, such as data exfiltration, ransomware deployment, or system compromise.

Impact

Successful exploitation can lead to arbitrary code execution, allowing attackers to compromise the system, steal sensitive data, deploy ransomware, or establish a persistent foothold. Due to the nature of the technique, it can bypass many traditional security measures. The wide adoption of Windows and the inherent trust placed in signed binaries makes this a potent evasion technique. Failure to detect and prevent this attack can lead to significant financial and reputational damage for the targeted organization.

Recommendation

• Deploy the Sigma rule “Script Execution via Microsoft HTML Application” to your SIEM to detect suspicious mshta.exe and rundll32.exe executions. Tune the rule by adding exceptions for known legitimate uses in your environment.
• Enable Sysmon process creation logging (Event ID 1) to ensure the visibility required for the Sigma rules to function correctly.
• Monitor process command lines for suspicious arguments like “script:eval”, “WScript.Shell”, and “mshta http” which are indicative of this technique.
• Implement application control policies to restrict the execution of mshta.exe and rundll32.exe where they are not required for legitimate business purposes.
• Investigate and block any identified malicious HTA files or scriptlet URLs found in the command lines of detected processes.

]]>highadvisorydefense-evasionscript-executionwindowshttps://feed.craftedsignal.io/briefs/2024-01-suspicious-script-execution/Wed, 03 Jan 2024 14:30:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-suspicious-script-execution/Malware may execute scripts from suspicious directories accessible via environment variables using script interpreters like cscript, wscript, mshta, and powershell to evade detection.Attackers may attempt to execute malicious scripts from suspicious directories or folders accessible by environment variables. This technique leverages script interpreters such as cscript.exe, wscript.exe, mshta.exe, and powershell.exe to run scripts from locations like the Temp directory, the Public user folder, or other user profile directories. The use of these locations can help attackers evade detection, as security tools may not thoroughly inspect files executed from these typically benign locations. This activity has been associated with threat actors such as Shuckworm, known to target Ukraine military.

Attack Chain

1. The attacker gains initial access, potentially through phishing or exploiting a software vulnerability.
2. A malicious script is dropped into a suspicious folder such as C:\Users\Public\, %TEMP%, or C:\Users\<username>\AppData\Local\Temp.
3. The attacker uses cscript.exe, wscript.exe, or mshta.exe to execute the dropped script. The command line may contain flags to bypass execution policies (e.g., -ExecutionPolicy bypass) or hide the window (e.g., -w hidden).
4. Alternatively, PowerShell may be invoked with the -ep bypass or -ExecutionPolicy Bypass flags, along with a command to execute the script located in the temporary folder.
5. The script executes, performing malicious actions such as downloading additional payloads, establishing persistence, or exfiltrating data.
6. The script may leverage built-in Windows utilities for further malicious activities.
7. The attacker achieves their objective, such as data theft or system compromise.

Impact

Successful exploitation can lead to a range of damaging outcomes, including system compromise, data theft, and further propagation of malware within the network. Organizations may experience data breaches, financial losses, and reputational damage. The compromise of systems can also disrupt business operations and require extensive recovery efforts.

Recommendation

• Deploy the Sigma rule Script Interpreter Execution From Suspicious Folder to your SIEM to detect suspicious script executions.
• Monitor process creation events with a focus on script interpreters (cscript.exe, wscript.exe, mshta.exe, powershell.exe) executing from suspicious directories, using the logsource and detection sections of the Sigma rule as a guide.
• Tune the filters in the Sigma rule based on your environment to reduce false positives, as described in the falsepositives section.
• Review and block any observed malicious command lines containing flags like -ep bypass, -ExecutionPolicy bypass, or -w hidden, as detailed in the selection_proc_flags section of the Sigma rule.

]]>highadvisoryexecutionscript-executionmalware