Scripting

Description

Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions.

In addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.

Procedure Examples

• APT33 utilized PowerShell scripts to establish command and control and install files for execution.12
• HEXANE utilizes VBA macros and Powershell scripts such as DanDrop and kl.ps1 tools.34
• OilRig has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.5
• In the version of Triton available at the time of publication, the component that programs the Triconex controllers is written entirely in Python. The modules that implement the communciation protocol and other supporting components are found in a separate file -- library.zip -- which the main script that employs this functionality is compiled into a standalone Windows executable -- trilog.exe -- that includes a Python environment.6
• A Python script seen in Triton communicates using four Python modules—TsBase, TsLow, TsHi, and TS_cnames—that collectively implement the TriStation network protocol (“TS”, via UDP 1502); this is the protocol that the TriStation TS1131 software uses to communicate with Triconex safety PLCs.6

Mitigation

• Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.7

• These access restrictions should also apply to configuration and systems settings.7

• The ability to make certain changes, alter settings, and run files should be at least protected by basic password authentication. In environments where passwords may be intercepted or sent as plaintext, implement multi-factor authentication to supplement password use.7

• Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.7

• Physical access to systems may allow the adversary to run scripts, if privileged accounts are logged in. Consider enforcing a logoff or timeout policy, consistent with operational needs.7