Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion Today. We're going to be looking at scripting. So with that, what are today's objectives? Well, first, what we're going to do is look at what scripting is and just define it a little bit for you.
00:19
Now you may notice that will use terms that are associated with power shell and things of that nature
00:24
Scripting covers more than just power of shell scripting. It's just any kind of automated tasking that weaken Dubai riding. Either you know, VBS script or Power Shell script of bash files or whatever the case may be
00:39
scripting would fall into that area. We're going to look at some examples as to how scripting can be used. We're going to, of course, look at some mitigation techniques, and then we will talk about some detection techniques as well that are specific to scripting. So scripting
00:57
is essentially defining scripts and scripts are used to perform multiple actions in a quick and automated manner. This provides some of the following advantages, so it reduces the time to gain access to resource is so instead of a threat, actor having to manually inter commands line by line.
01:18
They can dump a script
01:19
on the system that in India's air runs,
01:22
and then that script will run through a set of tasks that could potentially give them access to resource is or outright download information. Depending on what they're trying to do, It can potentially bypassed monitoring mechanisms, so some scripts
01:36
may be interpreted as benign or not as a threat. It may run in space.
01:42
Such a zoo, memory or something of that nature or the threat actor may have a measure in place
01:49
that allows it to maybe be off you skated. Whatever the case may be, there is the potential that it could be used for bypassing these mechanisms, and it can be ran without the end users knowledge. As we saw with Power Shell, we can run that in the background, running in memory. Run it without you know, I use your knowing
02:06
some common languages that are associated with scripting and windows as VB script,
02:10
power shell and batch scripts. Of course, there are other operating systems out there where scripting is popular. There also, language is not mentioned here, such as python and ruby, which can be used as well,
02:24
Really. If it is a language that a computer can understand, then you can design some type of script toe work with it
02:32
Now.
02:34
What are some uses for scripting? Well, threat actors can in bed scripts inside of office documents using Mac Rose once the file is interacted with, then essentially, what happens there? The script runs, and so again there has to be some form of interaction
02:51
or engagement on the user's part here.
02:53
Scripting can be used for information gathering okay prior to the Threat actor using the system. So essentially,
03:01
I've written simple scripts that will go out and provide a response to Ping. And what will happen is the script picks up the I. P address of the system. You make some assumptions about some net mask and things of that nature, and it will do a quick sweep of the range to see if
03:19
there are, in fact, live systems on the network that can be reached. That could be one thing. Account information could be gathered with scripts prior to a threat. Actor,
03:29
using a machine
03:30
scripting can be used to again silently install applications and things of that nature. So that could be beneficial on then run commands from those applications. And so if you've administered in an environment of really any size, and you've had to work
03:46
around in users and things of that nature, typically you have to find a way
03:52
to get something on a system
03:53
to get it or get something fixed on the system and do it in a manner that's not going to interrupt the productivity of the end user. And so a lot of times applications. If you go out and look on the Web sites for software and look through the technical God's, you'll find ways to silently install software. You'll find ways to
04:12
run commands through the software that otherwise you'd have to
04:15
log in via the gooey or something of that nature. Same thing can happen here. We could design scripts to pull software from AH server on the Internet, and then let's do a silent install of that particular software,
04:29
and then we could have a phase of that script that runs commands from the successfully installed software as well, so we could do all of that in a matter of minutes seconds. Whatever the case may be
04:38
using scripting
04:40
now. Ah, platform that has some mention or a friendly that has some mentioned in theatre Act framework under scripting that I use quite often as medicine points. So if you had any experience with men, exploit its a security tool that came, of course, be used by threat actors, the framework is open to anyone.
05:00
That menace point can be installed on both clinics
05:02
Ah and Mac OS X and Windows based systems. And so any of the operating systems that you can imagine being in possession of you can run minute split on it of flavor of limits that's not mentioned here is Callie Lennix, which has the menace white framework on it out the box.
05:20
And it does more than just so. It's known for these things for exploitation in the ability to add custom exploits and things of that nature using ruby to medicine flight. But there's also vulnerability validation that you can do. There are different auxiliary modules where you could do information gathering
05:40
and things of that nature. So, really,
05:42
if you become fluent in using this framework, it has the capability to script a number of information gathering areas. A number of vulnerability, validation areas, exploitation areas,
05:56
as well as maintaining access and keeping sessions open. So there's a lot of different things that you can do just with this one framework.
06:03
Another framework that was mentioned that is not listed here because we just got done talking about it was power split
06:11
again, even though it's mentioned under power Shell Power Shell is a separate vector of separate area and minor, but it still is, ah, scripting tool that can be used for exploitation purposes. Faras that peace is concerned.
06:27
So let's go ahead and jump into mitigation so we don't have a huge list here, but enabling capabilities that allow for the san boxing and blocking of macros. And so where this comes into play is where we talk about in users
06:42
interacting with attachments, interacting with your l's or interacting with anything really that could run a script.
06:48
Eso. The goal here would be that you have a system where that script would be executed in a safe environment, and that system would look to see if it makes connections to member and I ps. If it tries to install software, if it tries to do anything, that's not common to that particular extension type final type. Whatever the case may be,
07:08
this would be a way that you could potentially mitigate that ketchup.
07:11
And, of course, you can outright disable. Remove a restrict access to scripting engines. Again, scripts have to run using something like Power Shell, using something like the command line or using something like, um, the terminal. Whatever the case may be, it would still need access
07:29
to those local resource is. And so, if you've got a standard user
07:33
that can't, of course, access those things and they interact with, ah, file that
07:41
would need to run a script of some counter to script of some kind that would need to run that if it can't access those resource is,
07:47
it can't effectively execute now there may be ways that that could be bypassed potentially, but in this case, it's definitely something to consider.
07:57
Now, let's talk about detection. So, of course, we want along any attempts made by standard users to run scripts. If we know in the environment that users don't need access to scripts, they don't need to run scripts. It's not something that they do in their day to day tasks,
08:13
then
08:15
we want along an attempt to do so. That would be a violation, maybe a policy, and it would need to be reviewed immediately. We'd want to monitor command line arguments for script execution again
08:26
if we see activity. That's indicative of scripting. If we see that terminals or that power shell, or that anything is really, you know, being used in that fashion, we'd want to alert on it, maybe do some correlation and see if we've got that's red actor in the environment or an issue
08:43
monitor slash alert on scripts that spawn unusual processes. So this is
08:48
great. There's a number of tools out there that if something let's say like a word document
08:52
attempts to run power shell
08:56
that doesn't make sense. Why would work need your impeller shell
08:58
so it would flag that alert on that and you could potentially install systems that would prevent that entirely as well. So what? That let's do a quick check on learning. True or false
09:11
scripting is not common among threat actors and should be considered a low risk.
09:18
All right, if you need some additional time, please pause the video. So this is a false statement. Scripting is mentioned in minor, and it is very common for threat actors to use scripting as a means to gain access to war, get tools on a machine,
09:35
and it should definitely not be considered a low risk. You definitely want to consider controls and may be gaining factors accordingly.
09:41
So what? That let's jump over to our summary. So in summary, we describe scripting and looked at what that is. We described how it can be used. We looked at some mitigation techniques and their capabilities there, as well as some detection techniques. So with all of that in mind, I want to thank you for your time today,
10:01
and I look forward to seeing you again
10:05
Sin.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor