Suspicious PowerShell Execution via Windows Scripts

Identifies suspicious PowerShell execution spawning from Windows Script Host processes (cscript or wscript.exe).

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/09/09"
  3integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
  4maturity = "production"
  5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  6min_stack_version = "8.14.0"
  7updated_date = "2025/01/15"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies suspicious PowerShell execution spawning from Windows Script Host processes (cscript or wscript.exe).
 13"""
 14from = "now-9m"
 15index = [
 16    "winlogbeat-*",
 17    "logs-windows.*",
 18    "logs-system.security*",
 19    "logs-windows.sysmon_operational-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-m365_defender.event-*"
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Suspicious PowerShell Execution via Windows Scripts"
 26risk_score = 73
 27rule_id = "2d62889e-e758-4c5e-b57e-c735914ee32a"
 28severity = "high"
 29tags = [
 30    "Domain: Endpoint",
 31    "OS: Windows",
 32    "Use Case: Threat Detection",
 33    "Tactic: Execution",
 34    "Data Source: System",
 35    "Data Source: Sysmon",
 36    "Data Source: SentinelOne",
 37    "Data Source: Microsoft Defender for Endpoint",
 38    "Resources: Investigation Guide"
 39]
 40timestamp_override = "event.ingested"
 41type = "eql"
 42
 43query = '''
 44process where host.os.type == "windows" and event.action == "start" and
 45  process.name : ("powershell.exe", "pwsh.exe") and
 46  process.parent.name : ("wscript.exe", "cscript.exe", "mshta.exe") and
 47   (
 48   process.args_count == 1 or
 49   process.command_line :
 50             ("*^*^*^*^*^*^*^*^*^*",
 51              "*''*''*''*",
 52              "*`*`*`*`*",
 53              "*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*",
 54              "*+*+*+*+*+*",
 55              "*$*$*$*$*",
 56              "*[char[]](*)*-join",
 57              "*Base64String*",
 58              "*[*Convert]*",
 59              "*.Text.Encoding*",
 60              "*.Compression.*",
 61              "*.replace(*",
 62              "*MemoryStream*",
 63              "*WriteAllBytes*",
 64              "* -en* *",
 65              "* -ec *",
 66              "* -e *",
 67              "* -ep *",
 68              "* /e *",
 69              "* /en* *",
 70              "* /ec *",
 71              "* /ep *",
 72              "*WebClient*",
 73              "*DownloadFile*",
 74              "*DownloadString*",
 75              "*BitsTransfer*",
 76              "*Invoke-Exp*",
 77              "*invoke-web*",
 78              "*iex*",
 79              "*iwr*",
 80              "*Reflection.Assembly*",
 81              "*Assembly.GetType*",
 82              "*.Sockets.*",
 83              "*Add-MpPreference*ExclusionPath*",
 84              "*raw.githubusercontent*")
 85   ) and
 86
 87   /* many legit powershell commands uses those non shortened execution flags excluding Sync-AppvPublishingServer lolbas */
 88   not (process.args : ("-EncodedCommand", "Import-Module*", "-NonInteractive") and
 89        process.args : "-ExecutionPolicy" and not process.args : "Sync-AppvPublishingServer") and
 90
 91   /* third party installation related FPs */
 92   not ?process.parent.args : "?:\\Windows\\system32\\gatherNetworkInfo.vbs" and
 93   not (?process.parent.args : "Microsoft.SystemCenter.ICMPProbe.WithConsecutiveSamples.vbs" and process.args : "Get-SCOMAgent") and
 94   not (process.command_line : "*WEBLOGIC_ARGS_CURRENT_1.DATA*" and ?process.parent.command_line : "*Impact360*") and
 95   not process.args :  "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers;*" and
 96   not process.command_line : ("*.Access.IdentityReference*win32_SID.SID*", "*AGIAbQB4AC0AYQBwAC4AcwAzAC4AdQBzAC0AZQBhAHMAd*") and
 97   not (?process.parent.args : "?:\\Users\\Prestige\\AppData\\Local\\Temp\\Rar$*\\KMS_VL_ALL_AIO.cmd  -elevated" and process.command_line : "*KMS_VL_ALL_AIO.cmd*") and
 98   not process.args : "iwr https://*.s3.us-east-1.amazonaws.com/scripts/Start-SpeedTest.ps1 -UserAgent * -UseBasicParsing | invoke-expression" and
 99   not (process.parent.name : "wscript.exe" and
100        ?process.parent.args : "C:\\Program Files (x86)\\Telivy\\Telivy Agent\\telivy.js")
101'''
102note = """## Triage and analysis
103
104> **Disclaimer**:
105> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
106
107### Investigating Suspicious PowerShell Execution via Windows Scripts
108
109PowerShell, a powerful scripting language in Windows, is often targeted by adversaries for executing malicious scripts. Attackers exploit Windows Script Host processes like cscript or wscript to launch PowerShell with obfuscated commands, evading detection. The detection rule identifies such suspicious activity by monitoring PowerShell executions with specific patterns and parent processes, while filtering out known legitimate use cases to reduce false positives.
110
111### Possible investigation steps
112
113- Review the process command line and arguments to identify any obfuscation patterns or suspicious commands, such as Base64 encoding or web requests, that match the query's suspicious patterns.
114- Examine the parent process details, specifically focusing on wscript.exe, cscript.exe, or mshta.exe, to determine if the PowerShell execution was initiated by a legitimate script or a potentially malicious one.
115- Check the process execution context, including the user account and host, to assess if the activity aligns with expected behavior for that user or system.
116- Investigate any network connections or file downloads initiated by the PowerShell process, especially those involving external IP addresses or domains, to identify potential data exfiltration or further malicious activity.
117- Correlate the alert with other security events or logs from the same host or user to identify any preceding or subsequent suspicious activities that could indicate a broader attack campaign.
118
119### False positive analysis
120
121- Legitimate PowerShell commands using non-shortened execution flags may trigger false positives. To manage this, exclude processes with arguments like "-EncodedCommand", "Import-Module*", and "-NonInteractive" unless they are associated with suspicious activity.
122- Third-party installation scripts, such as those related to Microsoft System Center or WebLogic, can cause false positives. Exclude these by filtering out specific parent process arguments or command lines, such as "Microsoft.SystemCenter.ICMPProbe.WithConsecutiveSamples.vbs" and "WEBLOGIC_ARGS_CURRENT_1.DATA".
123- Routine administrative tasks, like gathering network information, may be flagged. Exclude known scripts like "gatherNetworkInfo.vbs" from detection to prevent unnecessary alerts.
124- Exclude specific user scripts or tools that are known to be safe, such as those located in user directories like "C:\\Users\\Prestige\\AppData\\Local\\Temp\\Rar$*\\KMS_VL_ALL_AIO.cmd" if they are verified as non-malicious.
125- Regularly review and update exclusion lists to ensure they reflect current legitimate activities and do not inadvertently allow new threats.
126
127### Response and remediation
128
129- Isolate the affected system from the network to prevent further malicious activity and lateral movement.
130- Terminate any suspicious PowerShell processes identified by the alert to stop ongoing malicious execution.
131- Conduct a thorough review of the affected system's PowerShell execution logs to identify any additional malicious scripts or commands that may have been executed.
132- Remove any malicious scripts or files identified during the investigation from the system to prevent re-execution.
133- Restore the system from a known good backup if any critical system files or configurations have been altered by the malicious activity.
134- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
135- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected."""
136
137
138[[rule.threat]]
139framework = "MITRE ATT&CK"
140[[rule.threat.technique]]
141id = "T1059"
142name = "Command and Scripting Interpreter"
143reference = "https://attack.mitre.org/techniques/T1059/"
144[[rule.threat.technique.subtechnique]]
145id = "T1059.001"
146name = "PowerShell"
147reference = "https://attack.mitre.org/techniques/T1059/001/"
148
149[[rule.threat.technique.subtechnique]]
150id = "T1059.005"
151name = "Visual Basic"
152reference = "https://attack.mitre.org/techniques/T1059/005/"
153
154
155
156[rule.threat.tactic]
157id = "TA0002"
158name = "Execution"
159reference = "https://attack.mitre.org/tactics/TA0002/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Suspicious PowerShell Execution via Windows Scripts

PowerShell, a powerful scripting language in Windows, is often targeted by adversaries for executing malicious scripts. Attackers exploit Windows Script Host processes like cscript or wscript to launch PowerShell with obfuscated commands, evading detection. The detection rule identifies such suspicious activity by monitoring PowerShell executions with specific patterns and parent processes, while filtering out known legitimate use cases to reduce false positives.

Possible investigation steps

  • Review the process command line and arguments to identify any obfuscation patterns or suspicious commands, such as Base64 encoding or web requests, that match the query's suspicious patterns.
  • Examine the parent process details, specifically focusing on wscript.exe, cscript.exe, or mshta.exe, to determine if the PowerShell execution was initiated by a legitimate script or a potentially malicious one.
  • Check the process execution context, including the user account and host, to assess if the activity aligns with expected behavior for that user or system.
  • Investigate any network connections or file downloads initiated by the PowerShell process, especially those involving external IP addresses or domains, to identify potential data exfiltration or further malicious activity.
  • Correlate the alert with other security events or logs from the same host or user to identify any preceding or subsequent suspicious activities that could indicate a broader attack campaign.

False positive analysis

  • Legitimate PowerShell commands using non-shortened execution flags may trigger false positives. To manage this, exclude processes with arguments like "-EncodedCommand", "Import-Module*", and "-NonInteractive" unless they are associated with suspicious activity.
  • Third-party installation scripts, such as those related to Microsoft System Center or WebLogic, can cause false positives. Exclude these by filtering out specific parent process arguments or command lines, such as "Microsoft.SystemCenter.ICMPProbe.WithConsecutiveSamples.vbs" and "WEBLOGIC_ARGS_CURRENT_1.DATA".
  • Routine administrative tasks, like gathering network information, may be flagged. Exclude known scripts like "gatherNetworkInfo.vbs" from detection to prevent unnecessary alerts.
  • Exclude specific user scripts or tools that are known to be safe, such as those located in user directories like "C:\Users\Prestige\AppData\Local\Temp\Rar$*\KMS_VL_ALL_AIO.cmd" if they are verified as non-malicious.
  • Regularly review and update exclusion lists to ensure they reflect current legitimate activities and do not inadvertently allow new threats.

Response and remediation

  • Isolate the affected system from the network to prevent further malicious activity and lateral movement.
  • Terminate any suspicious PowerShell processes identified by the alert to stop ongoing malicious execution.
  • Conduct a thorough review of the affected system's PowerShell execution logs to identify any additional malicious scripts or commands that may have been executed.
  • Remove any malicious scripts or files identified during the investigation from the system to prevent re-execution.
  • Restore the system from a known good backup if any critical system files or configurations have been altered by the malicious activity.
  • Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
  • Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.

Related rules

to-top