Windows Script Execution from Archive

  1[metadata]
  2creation_date = "2025/08/20"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7
  8[rule]
  9author = ["Elastic"]
 10description = """
 11Identifies attempts to execute Jscript/Vbscript files from an archive file. The use of archives is a common delivery method
 12of malicious scripts.
 13"""
 14
 15from = "now-9m"
 16index = [
 17    "endgame-*",
 18    "logs-crowdstrike.fdr*",
 19    "logs-endpoint.events.process-*",
 20    "logs-m365_defender.event-*",
 21    "logs-sentinel_one_cloud_funnel.*",
 22    "logs-system.security*",
 23    "logs-windows.forwarded*",
 24    "logs-windows.sysmon_operational-*",
 25    "winlogbeat-*",
 26]
 27language = "eql"
 28license = "Elastic License v2"
 29name = "Windows Script Execution from Archive"
 30references = ["https://medium.com/walmartglobaltech/smartapesg-4605157a5b80"]
 31risk_score = 47
 32rule_id = "30f9d940-7d55-4fff-a8b9-4715d20eb204"
 33severity = "medium"
 34tags = [
 35    "Domain: Endpoint",
 36    "OS: Windows",
 37    "Use Case: Threat Detection",
 38    "Tactic: Execution",
 39    "Resources: Investigation Guide",
 40    "Data Source: Elastic Endgame",
 41    "Data Source: Elastic Defend",
 42    "Data Source: Windows Security Event Logs",
 43    "Data Source: Microsoft Defender XDR",
 44    "Data Source: Sysmon",
 45    "Data Source: SentinelOne",
 46    "Data Source: Crowdstrike",
 47]
 48timestamp_override = "event.ingested"
 49type = "eql"
 50
 51query = '''
 52process where host.os.type == "windows" and event.type == "start" and process.name : "wscript.exe" and
 53 process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe") and
 54 process.args :
 55        ("?:\\Users\\*\\AppData\\Local\\Temp\\7z*\\*",
 56         "?:\\Users\\*\\AppData\\Local\\Temp\\*.zip.*\\*",
 57         "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*\\*",
 58         "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*\\*",
 59         "?:\\Users\\*\\AppData\\Local\\Temp\\BNZ.*")
 60'''
 61
 62setup = """## Setup
 63
 64This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 65
 66Setup instructions: https://ela.st/install-elastic-defend
 67
 68### Additional data sources
 69
 70This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 71
 72- [CrowdStrike](https://ela.st/crowdstrike-integration)
 73- [Microsoft Defender XDR](https://ela.st/m365-defender)
 74- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
 75- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
 76- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
 77"""
 78
 79note = """## Triage and analysis
 80
 81> **Disclaimer**:
 82> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 83
 84### Investigating Windows Script Execution from Archive
 85
 86Windows scripts, often used for legitimate automation tasks, can be exploited by adversaries to execute malicious code. Attackers may download scripts via browsers or file utilities, then execute them using scripting tools like wscript or mshta. The detection rule identifies such threats by monitoring script creation from internet sources and subsequent execution, focusing on unusual parent-child process relationships and script attributes.
 87
 88### Possible investigation steps
 89
 90- Review the file creation event to identify the specific script file that was downloaded, noting its name, path, and extension to understand the potential threat.
 91- Examine the origin URL or referrer URL of the downloaded script to determine the source and assess its legitimacy or potential malicious intent.
 92- Investigate the parent process, such as chrome.exe or explorer.exe, to understand how the script was downloaded and whether it aligns with typical user behavior.
 93- Analyze the execution event of the scripting utility (wscript.exe or mshta.exe) to identify the command-line arguments used, which may provide insight into the script's intended actions.
 94- Check the user account associated with the script execution to determine if the activity is expected for that user or if it indicates a compromised account.
 95- Correlate the timing of the script creation and execution events to see if they fall within a suspicious timeframe, such as outside of normal working hours.
 96- Look for any additional related alerts or logs on the host that might indicate further malicious activity or lateral movement following the script execution.
 97
 98### False positive analysis
 99
100- Legitimate script automation tools may trigger this rule if they download and execute scripts from the internet. Users can create exceptions for known safe tools by excluding specific file paths or process names.
101- Software updates or installations that download scripts as part of their process might be flagged. To handle this, users can whitelist specific origin URLs or referrer URLs associated with trusted software vendors.
102- Internal scripts distributed via corporate intranet sites could be misidentified as threats. Users should consider excluding scripts with known internal origin URLs or specific user IDs associated with IT operations.
103- Browser extensions or plugins that automate tasks using scripts may cause false positives. Users can exclude these by identifying and excluding the specific browser process names or file extensions involved.
104- Frequent use of file utilities like winrar or 7zFM for legitimate script handling can be excluded by specifying trusted file paths or user IDs that regularly perform these actions.
105
106### Response and remediation
107
108- Isolate the affected system from the network to prevent further execution of potentially malicious scripts and lateral movement.
109- Terminate any suspicious processes identified in the alert, such as wscript.exe or mshta.exe, to stop the execution of the downloaded script.
110- Quarantine the downloaded script file and any associated files to prevent further execution and facilitate forensic analysis.
111- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or remnants.
112- Review and analyze the origin URL and referrer URL of the downloaded script to identify potential malicious websites or compromised sources, and block these URLs at the network level.
113- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
114- Implement application whitelisting to restrict the execution of unauthorized scripts and scripting utilities, reducing the risk of similar threats in the future."""
115
116
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119
120[[rule.threat.technique]]
121id = "T1059"
122name = "Command and Scripting Interpreter"
123reference = "https://attack.mitre.org/techniques/T1059/"
124
125[[rule.threat.technique.subtechnique]]
126id = "T1059.005"
127name = "Visual Basic"
128reference = "https://attack.mitre.org/techniques/T1059/005/"
129
130[[rule.threat.technique.subtechnique]]
131id = "T1059.007"
132name = "JavaScript"
133reference = "https://attack.mitre.org/techniques/T1059/007/"
134
135[[rule.threat.technique]]
136id = "T1204"
137name = "User Execution"
138reference = "https://attack.mitre.org/techniques/T1204/"
139
140[[rule.threat.technique.subtechnique]]
141id = "T1204.002"
142name = "Malicious File"
143reference = "https://attack.mitre.org/techniques/T1204/002/"
144
145[rule.threat.tactic]
146id = "TA0002"
147name = "Execution"
148reference = "https://attack.mitre.org/tactics/TA0002/"