Common Information
| Type | Value |
|---|---|
| Value |
Scripting - T1064 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts. Scripts can be embedded inside Office documents as macros that can be set to execute when files used in Spearphishing Attachment and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through Exploitation for Client Execution, where adversaries will rely on macos being allowed or that the user will accept to activate them. Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. (Citation: Metasploit) (Citation: Metasploit), (Citation: Veil) (Citation: Veil), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014) Detection: Scripting may be common on admin, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Analyze Office file attachments for potentially malicious macros. Execution of macros may create suspicious process trees depending on what the macro is designed to do. Office processes, such as word.exe, spawning instances of cmd.exe, script application like wscript.exe or powershell.exe, or other suspicious processes may indicate malicious activity. (Citation: Uperesia Malicious Office Documents) Platforms: Linux, macOS, Windows Data Sources: Process monitoring, File monitoring, Process command-line parameters Defense Bypassed: Process whitelisting, Data Execution Prevention, Exploit Prevention Permissions Required: User |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-11-06 | 0 | DevSecOps: Why Security Can’t Be an Afterthought in SDLC | ||
| Details | Website | 2024-11-06 | 2 | Shells Overview — Tryhackme Walkthrough | ||
| Details | Website | 2024-11-06 | 2 | CVE Alert: CVE-2024-50335 - RedPacket Security | ||
| Details | Website | 2024-11-06 | 0 | Penetration Testing | ||
| Details | Website | 2024-11-06 | 2 | Enhancing Cybersecurity with Scripting: Automating Security for Efficiency and Precision | ||
| Details | Website | 2024-11-06 | 47 | Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest Exploitation Wave | CloudSEK | ||
| Details | Website | 2024-11-05 | 0 | Announcing the New Cloud Exchange 5.1.0 Update | ||
| Details | Website | 2024-11-05 | 3 | Bash Scripting 101: Beginner’s Guide to Getting Started | ||
| Details | Website | 2024-11-05 | 0 | Linux Basics For Hackers: Getting Started with Networking, Scripting, and Security in Kali … | ||
| Details | Website | 2024-11-05 | 0 | Unveiling Memory Forensics: Techniques for Detecting Malware and Threats Across Platforms | ||
| Details | Website | 2024-11-05 | 0 | Tips to Avoid Duplicates or N/A Reports in Bug Bounty Programs | ||
| Details | Website | 2024-11-05 | 3 | Black Basta PowerShell script to establish a Cobalt Strike beacon | ||
| Details | Website | 2024-11-05 | 0 | Memory Scraping Attacks: The Silent Threat to Your Data Security | ||
| Details | Website | 2024-11-05 | 1 | CVE Alert: CVE-2024-51677 - RedPacket Security | ||
| Details | Website | 2024-11-05 | 7 | 주간 탐지 룰(YARA, Snort) 정보 - 2024년 11월 1주차 - ASEC | ||
| Details | Website | 2024-11-05 | 7 | Weekly Detection Rule (YARA and Snort) Information - Week 1, November 2024 - ASEC | ||
| Details | Website | 2024-11-05 | 0 | Mastering Cloud Security with Google Cloud Security Command Center: Comprehensive Guide to Threat… | ||
| Details | Website | 2024-11-05 | 0 | Lesser-Known Tools for Web Bug Bounty Hunting | ||
| Details | Website | 2024-11-05 | 9 | Vulnerabilities Weaponizing — Cross-site Scripting (XSS) | ||
| Details | Website | 2024-11-05 | 1 | CVE Alert: CVE-2024-51681 - RedPacket Security | ||
| Details | Website | 2024-11-05 | 1 | CVE Alert: CVE-2024-51682 - RedPacket Security | ||
| Details | Website | 2024-11-05 | 1 | CVE Alert: CVE-2024-51685 - RedPacket Security | ||
| Details | Website | 2024-11-05 | 1 | CVE Alert: CVE-2024-51678 - RedPacket Security | ||
| Details | Website | 2024-11-05 | 1 | CVE Alert: CVE-2024-51683 - RedPacket Security | ||
| Details | Website | 2024-11-05 | 1 | CVE Alert: CVE-2024-51680 - RedPacket Security |