Suspicious PowerShell Execution via Windows Scripts

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Execution Data Source: System Data Source: Sysmon Data Source: SentinelOne Data Source: Microsoft Defender for Endpoint  ·
Share on: linkedin copy

Identifies suspicious PowerShell execution spawning from Windows Script Host processes (cscript or wscript.exe).

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/09/09"
  3integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
  4maturity = "production"
  5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  6min_stack_version = "8.14.0"
  7updated_date = "2024/10/15"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies suspicious PowerShell execution spawning from Windows Script Host processes (cscript or wscript.exe).
 13"""
 14from = "now-9m"
 15index = [
 16    "winlogbeat-*",
 17    "logs-windows.*",
 18    "logs-system.security*",
 19    "logs-windows.sysmon_operational-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-m365_defender.event-*"
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Suspicious PowerShell Execution via Windows Scripts"
 26risk_score = 73
 27rule_id = "2d62889e-e758-4c5e-b57e-c735914ee32a"
 28severity = "high"
 29tags = [
 30    "Domain: Endpoint",
 31    "OS: Windows",
 32    "Use Case: Threat Detection",
 33    "Tactic: Execution",
 34    "Data Source: System",
 35    "Data Source: Sysmon",
 36    "Data Source: SentinelOne",
 37    "Data Source: Microsoft Defender for Endpoint"
 38]
 39timestamp_override = "event.ingested"
 40type = "eql"
 41
 42query = '''
 43process where host.os.type == "windows" and event.action == "start" and
 44  process.name : ("powershell.exe", "pwsh.exe") and
 45  process.parent.name : ("wscript.exe", "cscript.exe", "mshta.exe") and
 46   (
 47   process.args_count == 1 or
 48   process.command_line :
 49             ("*^*^*^*^*^*^*^*^*^*",
 50              "*''*''*''*",
 51              "*`*`*`*`*",
 52              "*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*",
 53              "*+*+*+*+*+*",
 54              "*$*$*$*$*",
 55              "*[char[]](*)*-join",
 56              "*Base64String*",
 57              "*[*Convert]*",
 58              "*.Text.Encoding*",
 59              "*.Compression.*",
 60              "*.replace(*",
 61              "*MemoryStream*",
 62              "*WriteAllBytes*",
 63              "* -en* *",
 64              "* -ec *",
 65              "* -e *",
 66              "* -ep *",
 67              "* /e *",
 68              "* /en* *",
 69              "* /ec *",
 70              "* /ep *",
 71              "*WebClient*",
 72              "*DownloadFile*",
 73              "*DownloadString*",
 74              "*BitsTransfer*",
 75              "*Invoke-Exp*",
 76              "*invoke-web*",
 77              "*iex*",
 78              "*iwr*",
 79              "*Reflection.Assembly*",
 80              "*Assembly.GetType*",
 81              "*.Sockets.*",
 82              "*Add-MpPreference*ExclusionPath*",
 83              "*raw.githubusercontent*")
 84   ) and
 85
 86   /* many legit powershell commands uses those non shortened execution flags excluding Sync-AppvPublishingServer lolbas */
 87   not (process.args : ("-EncodedCommand", "Import-Module*", "-NonInteractive") and
 88        process.args : "-ExecutionPolicy" and not process.args : "Sync-AppvPublishingServer") and
 89
 90   /* third party installation related FPs */
 91   not ?process.parent.args : "?:\\Windows\\system32\\gatherNetworkInfo.vbs" and
 92   not (?process.parent.args : "Microsoft.SystemCenter.ICMPProbe.WithConsecutiveSamples.vbs" and process.args : "Get-SCOMAgent") and
 93   not (process.command_line : "*WEBLOGIC_ARGS_CURRENT_1.DATA*" and ?process.parent.command_line : "*Impact360*") and
 94   not process.args :  "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers;*" and
 95   not process.command_line : ("*.Access.IdentityReference*win32_SID.SID*", "*AGIAbQB4AC0AYQBwAC4AcwAzAC4AdQBzAC0AZQBhAHMAd*") and
 96   not (?process.parent.args : "?:\\Users\\Prestige\\AppData\\Local\\Temp\\Rar$*\\KMS_VL_ALL_AIO.cmd  -elevated" and process.command_line : "*KMS_VL_ALL_AIO.cmd*") and
 97   not process.args : "iwr https://*.s3.us-east-1.amazonaws.com/scripts/Start-SpeedTest.ps1 -UserAgent * -UseBasicParsing | invoke-expression" and
 98   not (process.parent.name : "wscript.exe" and
 99        ?process.parent.args : "C:\\Program Files (x86)\\Telivy\\Telivy Agent\\telivy.js")
100'''
101
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105[[rule.threat.technique]]
106id = "T1059"
107name = "Command and Scripting Interpreter"
108reference = "https://attack.mitre.org/techniques/T1059/"
109[[rule.threat.technique.subtechnique]]
110id = "T1059.001"
111name = "PowerShell"
112reference = "https://attack.mitre.org/techniques/T1059/001/"
113
114[[rule.threat.technique.subtechnique]]
115id = "T1059.005"
116name = "Visual Basic"
117reference = "https://attack.mitre.org/techniques/T1059/005/"
118
119
120
121[rule.threat.tactic]
122id = "TA0002"
123name = "Execution"
124reference = "https://attack.mitre.org/tactics/TA0002/"

Related rules

to-top