The following script is designed to create artifacts that teams can use to hunt, new or interesting capabilities.
The following table top is based on the code here: https://github.com/code-scrap/DynamicWrapperDotNet
This script is self-contained. It should dynamically write a DLL to disk and load it in to cscript.exe
To Invoke cscript.exe stranger_things.js
This example expects a 64bit system.
You can modify that if you wat ARM or x86 etc..
Ideas of what to hunt/test:
- Did the anti-malware engine detect a malicious script
- Did you observe the DLL written to disk?
- Did you observe the DLL/ Module Load
- What artifacts does this approach leave behind?
- How might an attacker change this script to evade detection? hint : that 'base64 blob lol'