Suspicious Managed Code Hosting Process

Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/08/21"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious
 13code execution.
 14"""
 15from = "now-9m"
 16index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*", "logs-crowdstrike.fdr*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Suspicious Managed Code Hosting Process"
 20references = [
 21    "http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html",
 22]
 23risk_score = 73
 24rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40"
 25severity = "high"
 26tags = [
 27    "Domain: Endpoint",
 28    "OS: Windows",
 29    "Use Case: Threat Detection",
 30    "Tactic: Defense Evasion",
 31    "Data Source: Elastic Defend",
 32    "Data Source: Sysmon",
 33    "Data Source: Microsoft Defender for Endpoint",
 34    "Data Source: SentinelOne",
 35    "Data Source: Elastic Endgame",
 36    "Data Source: Crowdstrike",
 37    "Resources: Investigation Guide",
 38]
 39timestamp_override = "event.ingested"
 40type = "eql"
 41
 42query = '''
 43file where host.os.type == "windows" and event.type != "deletion" and
 44  file.name : ("wscript.exe.log",
 45               "cscript.exe.log",
 46               "mshta.exe.log",
 47               "wmic.exe.log",
 48               "svchost.exe.log",
 49               "dllhost.exe.log",
 50               "cmstp.exe.log",
 51               "regsvr32.exe.log")
 52'''
 53note = """## Triage and analysis
 54
 55> **Disclaimer**:
 56> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 57
 58### Investigating Suspicious Managed Code Hosting Process
 59
 60Managed code hosting processes like wscript.exe, cscript.exe, and others are integral to executing scripts and managing code in Windows environments. Adversaries exploit these processes for code injection or executing malicious scripts, often evading detection. The detection rule identifies anomalies by monitoring specific process logs, flagging high-risk activities that deviate from normal operations, thus alerting analysts to potential threats.
 61
 62### Possible investigation steps
 63
 64- Review the process logs for the specific file names flagged in the alert, such as wscript.exe.log or cscript.exe.log, to identify any unusual or unauthorized script executions.
 65- Correlate the suspicious process activity with user account activity to determine if the actions were performed by a legitimate user or potentially compromised account.
 66- Examine the parent process of the flagged managed code hosting process to identify if it was spawned by a legitimate application or a known malicious process.
 67- Check for any recent changes or modifications to the scripts or executables associated with the flagged process to identify potential tampering or unauthorized updates.
 68- Investigate network connections initiated by the suspicious process to detect any communication with known malicious IP addresses or domains.
 69- Utilize threat intelligence sources to cross-reference any identified indicators of compromise (IOCs) such as file hashes or IP addresses associated with the suspicious process.
 70
 71### False positive analysis
 72
 73- Legitimate administrative scripts may trigger alerts when executed by IT personnel using wscript.exe or cscript.exe. To manage this, create exceptions for known scripts and trusted user accounts.
 74- Automated system maintenance tasks using mshta.exe or wmic.exe can be flagged as suspicious. Identify and whitelist these tasks if they are part of regular system operations.
 75- Software updates or installations might use svchost.exe or dllhost.exe, leading to false positives. Monitor and document these activities, then exclude them from alerts if they are verified as safe.
 76- Custom applications that rely on cmstp.exe or regsvr32.exe for legitimate purposes can be mistaken for threats. Validate these applications and add them to an exception list to prevent unnecessary alerts.
 77- Regularly review and update the exception list to ensure it reflects current legitimate activities, minimizing the risk of overlooking genuine threats.
 78
 79### Response and remediation
 80
 81- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
 82- Terminate the suspicious process identified in the alert, such as wscript.exe, cscript.exe, or any other flagged process, to stop any ongoing malicious activity.
 83- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional malicious files or scripts.
 84- Review and restore any system or application configurations that may have been altered by the malicious process to ensure system integrity.
 85- Collect and preserve relevant logs and forensic data from the affected system for further analysis and to aid in understanding the scope and impact of the incident.
 86- Notify the security operations center (SOC) or incident response team to escalate the incident for further investigation and to determine if additional systems are affected.
 87- Implement additional monitoring and detection rules to enhance visibility and prevent similar threats in the future, focusing on the specific processes and behaviors identified in the alert."""
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1055"
 94name = "Process Injection"
 95reference = "https://attack.mitre.org/techniques/T1055/"
 96
 97
 98[rule.threat.tactic]
 99id = "TA0005"
100name = "Defense Evasion"
101reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Suspicious Managed Code Hosting Process

Managed code hosting processes like wscript.exe, cscript.exe, and others are integral to executing scripts and managing code in Windows environments. Adversaries exploit these processes for code injection or executing malicious scripts, often evading detection. The detection rule identifies anomalies by monitoring specific process logs, flagging high-risk activities that deviate from normal operations, thus alerting analysts to potential threats.

Possible investigation steps

  • Review the process logs for the specific file names flagged in the alert, such as wscript.exe.log or cscript.exe.log, to identify any unusual or unauthorized script executions.
  • Correlate the suspicious process activity with user account activity to determine if the actions were performed by a legitimate user or potentially compromised account.
  • Examine the parent process of the flagged managed code hosting process to identify if it was spawned by a legitimate application or a known malicious process.
  • Check for any recent changes or modifications to the scripts or executables associated with the flagged process to identify potential tampering or unauthorized updates.
  • Investigate network connections initiated by the suspicious process to detect any communication with known malicious IP addresses or domains.
  • Utilize threat intelligence sources to cross-reference any identified indicators of compromise (IOCs) such as file hashes or IP addresses associated with the suspicious process.

False positive analysis

  • Legitimate administrative scripts may trigger alerts when executed by IT personnel using wscript.exe or cscript.exe. To manage this, create exceptions for known scripts and trusted user accounts.
  • Automated system maintenance tasks using mshta.exe or wmic.exe can be flagged as suspicious. Identify and whitelist these tasks if they are part of regular system operations.
  • Software updates or installations might use svchost.exe or dllhost.exe, leading to false positives. Monitor and document these activities, then exclude them from alerts if they are verified as safe.
  • Custom applications that rely on cmstp.exe or regsvr32.exe for legitimate purposes can be mistaken for threats. Validate these applications and add them to an exception list to prevent unnecessary alerts.
  • Regularly review and update the exception list to ensure it reflects current legitimate activities, minimizing the risk of overlooking genuine threats.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
  • Terminate the suspicious process identified in the alert, such as wscript.exe, cscript.exe, or any other flagged process, to stop any ongoing malicious activity.
  • Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional malicious files or scripts.
  • Review and restore any system or application configurations that may have been altered by the malicious process to ensure system integrity.
  • Collect and preserve relevant logs and forensic data from the affected system for further analysis and to aid in understanding the scope and impact of the incident.
  • Notify the security operations center (SOC) or incident response team to escalate the incident for further investigation and to determine if additional systems are affected.
  • Implement additional monitoring and detection rules to enhance visibility and prevent similar threats in the future, focusing on the specific processes and behaviors identified in the alert.

References

Related rules

to-top