Mechanisms of Evasion
Living-off-the-Land: Scripts leverage built-in Windows interpreters (like
powershell.exe,cmd.exe,cscript.exe,wscript.exe,mshta.exe) or commonly installed ones (python.exe,AutoIt3.exe). Since these interpreters are legitimate, their execution is less likely to be flagged by basic security software compared to unknown executables.Fileless Execution (PowerShell): PowerShell is particularly powerful as it allows for code execution directly in memory without necessarily writing scripts to disk. Commands can be downloaded and executed on-the-fly, or encoded commands can be passed via the command line, minimizing disk artifacts.
Obfuscation: Scripts are easily obfuscated using various techniques (encoding like Base64, character substitution, breaking code into smaller parts) making static analysis difficult.
Automation: Scripts excel at automating sequences of actions, such as disabling security services, deleting logs/files (e.g., Prefetch entries, specific registry keys, browser history), modifying system settings, or downloading and executing secondary payloads.
Interaction with System Components: Scripts can interact directly with Windows APIs, WMI, COM objects, and the .NET framework, enabling complex operations like process injection, registry manipulation, network communication, and persistence mechanisms (e.g., creating scheduled tasks or startup entries).
HTA Exploitation: HTML Applications (
.htafiles) can execute embedded scripts (VBScript, JScript) with higher privileges than standard web pages, leveragingmshta.exe. This can be used to bypass browser sandbox restrictions and execute arbitrary code when a user opens the HTA file.AutoIt for Automation: AutoIt is a legitimate scripting language designed for automating the Windows GUI and general scripting. Attackers misuse it to simulate mouse clicks/keystrokes (like complex macros or autoclickers) or automate malicious tasks. Compiled AutoIt scripts (
.exe) can sometimes be harder to reverse-engineer than other script types.
Last updated