When Scripts Attack, WildFire Protects

Kamil Imtiaz


Adversaries look for fast and easy ways to steal data. Among the many techniques in their playbooks, using scripts is a quickly growing trend. Why? It requires minimum human intervention, automates manual steps, and gets them to their malicious goals faster.

Scripting is an extremely useful tool. It allows administrators and power-users to automate repetitive tasks and multitask effectively. If you have ever opened a Microsoft Office file, you have probably encountered “macros”, which may execute VBScripts. These tools help accelerate productivity,  but can also be used for a darker purpose . Adversaries can leverage scripting languages to ingest and execute code, exploit vulnerabilities in the system, and potentially gain privileged access.

Attackers are continuously finding clever new ways to hide these malicious scripts in seemingly safe content. For example, they can use password-protected archive formats (.ZIP, .RAR), or embed them in commonly used Windows PE files and documents , successfully evading legacy sandboxing tools. In most cases, attackers use social engineering techniques to build emails to deliver the script that appears to be from a trusted source within the company, increasing the chances of an employee engaging with it.

 

How WildFire Protects

Palo Alto Networks WildFire malware prevention service added an innovative new detection technique to mitigate script-based attacks. When scripts are identified traversing the network, our Security Operating Platform immediately identifies and forwards the files to WildFire for analysis and execution. In order to reveal even the most evasive advanced attacks, WildFire utilizes multiple techniques including static analysis and dynamic analysis to identify the true intent of the script. Once the verdict is determined, protections are shared with the global community within minutes, spreading immunity worldwide.

 

WildFire now supports the following scripts filetypes:

 

Script Support

  • JScript (.js,)
  • VBScript (.vbs)
  • PowerShell Script (.ps1)
  • Shell Script (.sh)

 

Protocols:

  • HTTP, HTTPS
  • FTP
  • POP3, SMTP, IMAP
  • SMB

 

If you want to learn more about WildFire script support and how it works, go to our LIVE Community page of active engagement and discussions.

 

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.