It’s common to see command and script interpreters get used by threat actors to execute scripts. For example, poetRAT utilized lua interpreter for windows to execute lua script. PoetRAT is a remote access trojan. Mitigation techinques include antivirus, behavior prevention on endpoints, disabling certain features or privileges, and code sigining. To detect it, you need to monitor command execution, module load, process creation, process metadata, and script execution. Understanding strings is critical to interpreting suspicious commands.
Adversaries will employ obfuscation techniques to avoid detection and make analysis complicated. Common detection logic is to look for specific strings that involves launching commands or anything that has start or exit commands. It’s also good to know common indicators of obfuscation like usage of loops, double quotes, semi colons, random variable names, environment variable substrings, and caret symbols. Adversaries frequently use built in and bypass commands and frequently establish persistence by using scheduled tasks to launch command shell. Looking for strings that takes admin level actions are helpful in analysis.
HansITAcademy 