Proxied Execution via Signed Scripts¶
Signed script scripts such as PubPrn.vbs can be used to proxy execution from a remote site while bypassing signature validation restrictions and potentially application whitelisting.
| id: | 0d62a884-1052-44d0-a76c-1f4845e348d2 |
|---|---|
| categories: | enrich |
| confidence: | low |
| os: | windows |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Defense Evasion, Execution |
|---|---|
| techniques: | T1216 Signed Script Proxy Execution |
Query¶
process where subtype.create and
process_name in ("cscript.exe", "wscript.exe") and
command_line == "* *.vbs* *script:http*"