Find malicious JScript using OverWatch Elite

An adversary’s ability to live off the ground—relying on tools built into the operating system and legitimate user-installed software rather than tools that must be brought in—may allow an adversary to navigate the network of a relatively undetected victim organization. The CrowdStrike Falcon OverWatch™ threat hunters are well aware of the enemies’ love for those LOLBins and build their hunts accordingly. In recent months, OverWatch Elite, part of CrowdStrike’s Falcon OverWatch affiliate threat research service, has seen an increase in the use of JScript In practical hacks on the keyboard.

JScript vs. JavaScript

JScript is a Microsoft dialect of the JavaScript standard, a scripting language that can be used in setting up a web browser to add custom functionality to web pages. However, JScript is an active programming language, which means that it is more integrated into the operating system. JScript can be executed as a standalone file. It is often used to write files to disk, make registry changes, make network connections, execute commands, and more.

While JScript and JavaScript are distinct scripting mechanisms, they both use the same file extension: .js. By default, double-click on a file .js The file in Windows Explorer will open the file with the Windows Script Host executable wscript.exe, which will execute the code. Because wscript.exe It is signed by Microsoft and included with every Windows installation, and is often considered trusted by traditional security solutions. Although a .js The file is downloaded from the Internet, an additional warning dialog is displayed before execution, and our remote tracking shows that this does not prevent users from continuing with the execution.

The relative ease with which .js The files can be opened to provide attackers with an attractive initial access vector, whereby tricking the user into executing their malicious scripts can be easy. Furthermore, the limited logging provided by the Windows Script Host (WSH) allows adversaries to use malicious JScript files to evade some defense mechanisms and go unnoticed for much longer.

Figure 1: JScript implementation of proof-of-concept on double-click generates calc.exe. (click to enlarge)

JScript as an entry point for keyboard hands-on activity

Unsurprisingly, OverWatch threat hunters regularly see intrusions that involve, or even initiate, malicious JScript executions. In the first quarter of 2022, OverWatch identified several Fake Browser Update (FBU) infections – two of which led to the delivery of Cobalt Strike beacons followed by hands-on keyboard activity. It is possible that the actor used hijacked WordPress sites to host fake warnings about outdated browsers or plugins, asking the user to click a button to download the latest version. Harmful .js The payload was then loaded into a file .zip The archive, which the user was tempted to open by giving them names like ChromeUpdate.js. This coil is connected to the command and control channel (C2), executing various reconnaissance commands (for example, taking advantage of whoamiAnd the netAnd the nltest And the cmdkey) before dropping and running a cobalt blow Lighthouse. Then the actor was observed using this beacon for keyboard activity.

In another case, OverWatch noticed the use of malware .js Phishing files under the title of financial services. An email has been sent to the victim organization with a .zip File contains a file called agreement.js. Upon opening, the JScript file accessed a domain controlled by the attacker, and set up a PowerShell implant that allowed the actor to perform more hands-on keyboard activity. This activity involved creating persistence, running various discovery commands, and executing BloodHound. OverWatch quickly alerts the victim organization about malicious activity, enabling it to contain the affected devices.

Detect and prevent malicious JScript executions in your environment

Because of the way JScript works, there is no direct way to detect malicious executions. While JScript is considered an ancient technology, a wide variety of software and automated management solutions still rely on it. This can make distinguishing between benign behavior and potentially harmful behavior a challenge.

As shown in the examples above, abusing JScript for initial access means that the attacker only needs to convince the user to open a malicious file. .js The file, which is often provided to the user in an archive file. One way to search your environment for this malicious needle in your environment’s haystack is to search for JScript executions that originate from the user’s download folder or temporary archive locations (eg ZIP, RAR, or 7Zip files).

The CrowdStrike Falcon® Platform-specific event search function, the following query will show these implementations:

event_simpleName=ProcessRollup2 FileName IN ("cscript.exe", "wscript.exe")
| search CommandLine = "*.js*" (CommandLine="*\\downloads\\*" OR (CommandLine="*\\Appdata\\Local\\Temp\\*" AND (CommandLine="*.zip\\*" OR CommandLine="*\\7z*" OR CommandLine="*\\Rar*")))
| rex field=CommandLine "(?i)(?<ArchiveType>\.zip\\\|\\\7z|\\\Rar)"
| eval ArchiveType=case(ArchiveType=".zip\\", "ZIP", ArchiveType="\\7z", "7Z", ArchiveType="\\Rar", "RAR")
| eval isFromArchive=if(ArchiveType!="","Yes", "No")
| eval isInDownloads=if(match(CommandLine, ".*\\\Downloads\\\.*"),"Yes", "No")
| eval ProcExplorer="https://falcon.crowdstrike.com/investigate/process-explorer/" .aid. "https://www.crowdstrike.com/" . TargetProcessId_decimal . "?_cid=" . cid
| convert ctime(_time)
| table _time aid ComputerName UserName isInDownloads isFromArchive ArchiveType FileName CommandLine ParentBaseFileName ProcExplorer
| sort + _time
| rename _time as Time, aid as "Falcon AID", ComputerName as Endpoint, isInDownloads as "In Downloads folder?", isFromArchive as "From Archive?", FileName as ProcessName, CommandLine as ProcessCommandLine, ParentBaseFileName as ParentProcessName, ProcExplorer as "Process Explorer Link"

The output from this query might look like this:

Figure 2: Sample generated from the event lookup query above, showing suspicious JScript implementations. (click to enlarge)

The next step is to use the Process Explorer link to see the execution of the process and go deeper into the actions performed by the JScript file.

Figure 3: Falcon Processing Explorer Reveals the Suspicious Name invoice_2022-03-21.js I was born calc.exe. (click to enlarge)

The example above demonstrates the implementation of calc.exe, which may be considered unusual in a given environment. This will provide more hunting opportunities, such as analyzing the extraordinary children you gave birth to wscript.exe.

If the specific fishing query returns too many results, it is possible to narrow the search – for example, by limiting it to wscript.exe Implementations that involve producing new processes, writing certain types of files to disk, or manipulating sensitive registry locations.

From a precautionary perspective, there are a few things that can be done. One of the main weaknesses in how to set up JScript in Windows is double-clicking on a file .js File quickly leads to execution. remove file association .js Files with the extension wscript.exe It may reduce the chances of success. Without the file association, the user will have to use the command line prompt to execute the file. Thus, an unsuspecting user double-clicking a link in a phishing scam will not lead to a successful phishing. additional, Partially disable JScript It can reduce the attack surface. Microsoft also offers an option for Disable Windows Script Host Completely (Although this would not be an option in most corporate environments.)

OverWatch Elite value

Search for malicious .js Executions can be difficult due to large data volumes, legitimate use of JScript files, and the variety of ways in which attackers can misuse JScript. To effectively defend against this requires deep knowledge of your environment, insights into how attackers operate and experience in terms of detecting follow-up behavior. Managing these and other day-to-day responsibilities can easily overwhelm the Homeland Security team.

OverWatch’s prominent managed threat search service protects customer environments 24/7. OverWatch’s primary mission is to identify malicious activities as early as possible, and to provide customers with fast, timely, and most importantly actionable notifications and contexts.

OverWatch Elite is based on the 24/7/365 threat scans that are provided as part of the OverWatch standard and includes additional services such as: 60-minute call escalation for critical threats, quarterly threat briefings, and tailored threat search And more. OverWatch Elite customers are also invited to the private Slack channel where they can access the OverWatch Elite Analyzer to respond quickly and with confidence.

For more information, please visit OverWatch Elite Page on the CrowdStrike website.

Additional Resources

Leave a Reply

%d bloggers like this: