Command and Scripting Interpreter: - MITRE ATT CK® VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support) [5] Adversaries may use VB payloads to execute malicious commands
AsyncRAT Distributed via WSF Script_Dec 06 2023 Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries These interfaces and languages provide ways of interacting with computer systems and are a common feature across many diferent platforms
MITRE ATT CK CoA - T1059 - Command and Scripting Interpreter The playbook can be used as a part of the “MITRE ATT CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT CK ID as an input
Signed Scripts Proxy Execution - T1216 | Praetorian Many organizations trust all signed code from Microsoft Unfortunately, there are many ways in which attackers can use this trust against them Previously, we covered using signed binaries to perform malicious activities In this post, we will be covering how to use signed scripts
Windows: Potential Manage-bde. wsf Abuse To Proxy Execution Detects potential abuse of the "manage-bde wsf" script as a LOLBIN to proxy execution This rule is adapted from https: github com SigmaHQ sigma blob master rules windows process_creation proc_creation_win_lolbin_manage_bde yml
STARWHALE, Software S1037 | MITRE ATT CK® STARWHALE is Windows Script File (WSF) backdoor that has been used by MuddyWater, possibly since at least November 2021; there is also a STARWHALE variant written in Golang with similar capabilities