Scripting attacks besides PowerShell?



  • Who knows of any scripting attacks that can occur besides with PowerShell? This seems to be the most dangerous Windows kind right now at least.



  • I’ve seen malware also using .js, .jse, .vbs, .vbe, .hta and others, mainly as droppers. ;)



  • @fernandom How have you seen those completing their execution of the dropped files though? Ive analyzed a few of those but I only had code which could execute via ActiveX (which is largely disabled ofc) and/or VBScipt calling PowerShell which in turns calls the dropped files.



  • @cpu_whisperer definitely yes. Some time ago I stopped looking into those files so I have nothing fresh at this moment though.



  • @moveax41h lots of users seem to have the windows GUI file associations still configured to auto run scripts when double clicked instead of opening in a benign tool like notepad. For example .js and .vbs seem to launch with wscript.exe or cscript.exe , and .hta will launch with mshta.exe … thus those types of attachments can still be used successfully



  • @neonprimetime Yeah I agree, I have also seen some accreditation recommendations for implementation of systems that denotes that, certain files (.js, .hta etc. etc. )are default opened with benign programs like notepad, usually pushed via domain GPO’s.


Log in to reply