EXPLORE

← Back to Explore

T1216

System Script Proxy Execution

Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.(Citation: LOLBAS Project) This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)

Windows

15

Detections

3

Sources

0

Threat Actors

BY SOURCE

13sigma1elastic1splunk_escu

PROCEDURES (6)

Process Creation Monitoring6 detections

Auto-extracted: 6 detections for process creation monitoring

Powershell5 detections

Auto-extracted: 5 detections for powershell

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Remote1 detections

Auto-extracted: 1 detections for remote

Remote1 detections

Auto-extracted: 1 detections for remote

DETECTIONS (15)

Assembly Loading Via CL_LoadAssembly.ps1

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File

Delayed Execution via Ping

Execute Code with Pester.bat

Execute Code with Pester.bat as Parent

Potential Manage-bde.wsf Abuse To Proxy Execution

Potential Process Execution Proxy Via CL_Invocation.ps1

Potential Script Proxy Execution Via CL_Mutexverifiers.ps1

Remote Code Execute via Winrm.vbs

Suspicious CustomShellHost Execution

SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code

Uncommon Sigverif.EXE Child Process

UtilityFunctions.ps1 Proxy Dll

Windows System Script Proxy Execution Syncappvpublishingserver