Source |
FireEye |
Identifiant |
4593805 |
Date de publication |
2021-11-02 18:48:08 (vue: 2022-05-13 21:47:31) |
Titre |
Going To Ground with The Windows Scripting Host (WSH) |
Texte |
About a month ago, I was involved in an investigation that revealed
a targeted attacker using an interesting variation of a well-known
persistence mechanism - a technique that is relevant both to
incident responders hunting for evil and penetration testers looking
to add post-exploitation methods to their toolkit. Today, I'm going
to talk about this persistence mechanism and discuss some ways you
might go about identifying it in your environment. I think
that the majority of folks reading this blog have encountered
malware that maintains persistence via the startup folder. The
startup folder is a directory that may contain binaries, scripts or
shortcut files. A folder exists for each user on the system as well
as for "all users." On Windows 7, for example, the
Administrator startup folder resides at
"C:UsersAdministratorAppDataRoamingMicrosoftWindowsStart
MenuProgramsStartup". When a user successfully
authenticates, Windows will attempt to execute any binary, run any
script, or follow-up and execute any shortcut that is present within
that user's startup folder. If scripts or applications are placed in
the "all users" startup folder, these will be executed
shortly after the system boots. I often see the startup
folder used legitimately to execute maintenance scripts written in
Visual Basic or in Microsoft's batch scripting language. I also
frequently see that applications install shortcut, or LNK, files
within the startup folder that point to applications on disk.
Malicious use of this directory, however, is most often associated
with commodity malware - often accomplished by dropping an
executable into the startup folder. I've also seen a few
variants of commodity malware that install a LNK file in the startup
folder and deploy an EXE into a directory that the user can write
to, like " C: users local settings emp ". LNK
files contain several kinds of useful metadata, but for today's
purposes we're interested in LNK files as pointers to other
files. In this recent case, we identified a novel technique
that indirectly loads malicious scripts by means of LNK files in a
user's start-up folder. The LNK file was designed to invoke the Windows scripting host (WSH). The WSH comes in
both a GUI version, "wscript.exe", and a command-line
version, "cscript.exe". The WSH can interpret Visual Basic
scripts, commonly denoted by the file extension ".vbs",
and Jscripts (Microsoft's implementation of JavaScript), commonly
denoted by the file extension ".js". The malicious LNK
file invoked "wscript.exe" to interpret a JScript file
stored within a specific user's profile. Here's a cleaned-up excerpt
parsed from the LNK file using lnk-parser,
depicting the relative path to the WSH (in yellow) and an argument
(in green) which points to a JScript file:
The JScript we found used an
ActiveXObject object to create an instance of Internet Explorer and
open a URL hosted by a code-sharing cloud service. Here's what that
looks like:
This script connected to a
remote system that provided command and control (C2) functionality ,
which included collecting system information from the infected
machine and providing the attacker with the ability to execute
commands via the command console, "cmd.exe". During
analysis of the affected system, we found significant evidence in
URL History for the Internet Explorer browser that depicted requests
to the malicious URL |
Envoyé |
Oui |
Condensat |
ability about above access accomplished action=get&mt= action=get&mt== activexobject activity add administrator advantages affected after ago all also analysis analyze any application applications are argument associated attacker attempt authenticates automatically avoids base64 based basic batch because being binaries binary blend block blog boots both browser but bypass c:usersadministratorappdataroamingmicrosoftwindowsstart can case character cleaned cloud cmd code collecting com/ comes command commands commodity commonly communication connected consisted console contain control convoluted could create cscript denoted depending depicted depicting deploy designed detect detection determine directory discuss disk does domain dropping during each emp encoded encountered enterprise environment evade evidence evil examine examines example excerpt exe executable execute executed exists exploitation explorer extension file file: files folder folks follow form found frequently from functionality functions generated going good green ground gui have help here history host hosted however http http://hostname hunting identified identifies identify identifying implement implementation incident included indicator; indicators indirectly infected information install instance interested interesting internet interpret intrusion investigation investigators invoke invoked involved ioc ioc: javascript jscript jscripts keys kinds known language launch legitcloudservice legitimate legitimately like like: line little lnk load loads local login looked looking looks machine maintains maintenance majority make malicious malware may means mechanism menuprogramsstartup metadata methods microsoft might month most multitude name need netbios network noise normal not novel object often one open other parameters parameters: parsed parser path penetration persistence pipe placed point pointers points post present prevention profile protocol provided provides providing purpose purposes reading recent referenced references registry relative relevant reliant remote requests require resides responders revealed run script script; scripting scripts see seen separated service settings several sharing shortcut shortly should signature significant similarly sites snippet snort some somewhat specific start startup stored string successfully such system systems talk targeted technique techniques testers these think those though today toolkit traffic trickier tuned upon url urls use used useful user username users using values variants variation vbs version visual way ways web well what when whether which whitelisting will windows within would write written wscript wsh yellow your |
Tags |
Malware
|
Stories |
|
Notes |
|
Move |
|