|Data Sources||Command: Command Execution, Module: Module Load, Process: Process Creation, Script: Script Execution|
Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions.
In addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.
- APT33 utilized PowerShell scripts to establish command and control and install files for execution.12
- Dragonfly 2.0 deleted indicators on staging and target devices by uninstalling software, removing event logs, batch scripts, screenshots, registry keys, documents, and tools they brought into the target networks.3
- HEXANE utilizes VBA macros and Powershell scripts such as DanDrop and kl.ps1 tools.45
- OilRig has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.6
- Sandworm Team utilized VBS and batch scripts for file movement and as wrappers for PowerShell execution.7
- Triton communicates with Triconex controllers using a custom component framework written entirely in Python. The modules that implement the TriStation communication protocol and other supporting components are found in a separate file -- library.zip -- the main script that employs this functionality is compiled into a standalone py2exe Windows executable -- trilog.exe – which includes a Python environment.9
- Application Isolation and Sandboxing - Consider the use of application isolation and sandboxing to restrict specific operating system interactions such as access through user accounts, services, system calls, registry, and network access. This may be even more useful in cases where the source of the executed script is unknown.
- Disable or Remove Feature or Program - Consider removal or disabling of programs and features which may be used to run malicious scripts (e.g., scripting language IDEs, PowerShell, visual studio).
- Execution Prevention - Execution prevention may prevent malicious scripts from accessing protected resources.
- Symantec. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved December 2, 2019.
- Dragos. (n.d.). Magnallium. Retrieved October 27, 2019.
- Cybersecurity & Infrastructure Security Agency. (2018, March 15). Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved October 11, 2019.
- Ionut Arghire. (2019, August 28). Researchers Analyze Tools Used by 'Hexane' Attackers Against Industrial Firms. Retrieved January 3, 2020.
- Jeffery Burt. (2019, August 30). Lyceum APT Group a Fresh Threat to Oil and Gas Companies. Retrieved January 3, 2020.
- Robert Falcone, Bryan Lee. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved November 19, 2019.
- Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.
- Tom Fakterman. (2019, August 05). Sodinokibi: The Crown Prince of Ransomware. Retrieved April 12, 2021.
- DHS CISA. (2019, February 27). MAR-17-352-01 HatMan—Safety System Targeted Malware (Update B). Retrieved March 8, 2019.