Script_interpreter — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/script_interpreter/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSun, 28 Jan 2024 12:00:00 +0000Remote File Download via Script Interpreterhttps://feed.craftedsignal.io/briefs/2024-01-28-remote-file-copy-scripts/Sun, 28 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-28-remote-file-copy-scripts/Attackers are using Windows script interpreters (cscript.exe or wscript.exe) to download executable files from remote locations to deliver second-stage payloads or download tools.Attackers commonly use Windows Script Host (WSH) scripts as an initial access method or to download tools and utilities. This involves using built-in Windows script interpreters like cscript.exe or wscript.exe to download executable files from remote destinations. This behavior is significant because it allows attackers to bypass traditional defenses and establish a foothold in the system or download further tools. Defenders should monitor for suspicious network connections initiated by script interpreters followed by the creation of executable files on the system.

Attack Chain

  1. An attacker gains initial access to a Windows system (delivery mechanism not specified in source).
  2. The attacker executes a script using cscript.exe or wscript.exe.
  3. The script interpreter makes an outbound network connection to a remote server.
  4. The remote server hosts a malicious executable file (e.g., .exe, .dll).
  5. The script downloads the malicious executable to the compromised system.
  6. The downloaded file is saved to disk.
  7. The attacker executes the downloaded malicious file to establish persistence or further compromise the system.
  8. The attacker performs additional actions, such as lateral movement or data exfiltration (not detailed in the source).

Impact

Successful exploitation can lead to the installation of malware, unauthorized access to sensitive data, and further compromise of the affected system. This can result in data breaches, financial losses, and reputational damage. The source does not contain specific victim numbers or sectors targeted.

Recommendation

  • Deploy the Sigma rule “Remote File Download via Script Interpreter - File Creation” to your SIEM to detect the creation of executable files after network activity from cscript.exe or wscript.exe.
  • Deploy the Sigma rule “Remote File Download via Script Interpreter - Network Connection” to detect network connections from cscript.exe or wscript.exe.
  • Enable Sysmon Event ID 3 (Network Connection) and Event ID 11 (File Create) for enhanced visibility into network and file activity related to script interpreters.
]]>mediumadvisorycommand-and-controlexecutionwindowsscript_interpreter