Execution of a Downloaded Windows Script

  1[metadata]
  2creation_date = "2025/01/31"
  3integration = ["endpoint"]
  4maturity = "production"
  5min_stack_comments = "Mark of The Web enrichment was added to Elastic Defend file events in 8.15.0."
  6min_stack_version = "8.15.0"
  7updated_date = "2025/02/14"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies the creation of a Windows script downloaded from the internet followed by the execution of a scripting utility.
 13Adversaries may use Windows script files for initial access and execution.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.file-*", "logs-endpoint.events.process-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Execution of a Downloaded Windows Script"
 20risk_score = 47
 21rule_id = "79543b00-28a5-4461-81ac-644c4dc4012f"
 22severity = "medium"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Windows",
 26    "Use Case: Threat Detection",
 27    "Tactic: Execution",
 28    "Data Source: Elastic Defend",
 29    "Resources: Investigation Guide"
 30]
 31timestamp_override = "event.ingested"
 32type = "eql"
 33
 34query = '''
 35sequence by host.id, user.id with maxspan=3m
 36[file where host.os.type == "windows" and event.action == "creation" and user.id != "S-1-5-18" and
 37  process.name : ("chrome.exe", "msedge.exe", "brave.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "explorer.exe", "winrar.exe", "7zFM.exe", "7zG.exe", "Bandizip.exe") and
 38  file.extension in~ ("js", "jse", "vbs", "vbe", "wsh", "hta", "cmd", "bat") and
 39  (file.origin_url != null or file.origin_referrer_url != null)]
 40[process where host.os.type == "windows" and event.type == "start" and
 41 process.parent.name : ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "explorer.exe", "winrar.exe", "7zFM.exe", "7zG.exe", "Bandizip.exe") and 
 42 process.args_count >= 2 and
 43 (
 44  process.name in~ ("wscript.exe", "mshta.exe") or
 45  (process.name : "cmd.exe" and process.command_line : ("*.cmd*", "*.bat*"))
 46  )]
 47'''
 48note = """## Triage and analysis
 49
 50> **Disclaimer**:
 51> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 52
 53### Investigating Execution of a downloaded windows script
 54
 55Windows scripts, often used for legitimate automation tasks, can be exploited by adversaries to execute malicious code. Attackers may download scripts via browsers or file utilities, then execute them using scripting tools like wscript or mshta. The detection rule identifies such threats by monitoring script creation from internet sources and subsequent execution, focusing on unusual parent-child process relationships and script attributes.
 56
 57### Possible investigation steps
 58
 59- Review the file creation event to identify the specific script file that was downloaded, noting its name, path, and extension to understand the potential threat.
 60- Examine the origin URL or referrer URL of the downloaded script to determine the source and assess its legitimacy or potential malicious intent.
 61- Investigate the parent process, such as chrome.exe or explorer.exe, to understand how the script was downloaded and whether it aligns with typical user behavior.
 62- Analyze the execution event of the scripting utility (wscript.exe or mshta.exe) to identify the command-line arguments used, which may provide insight into the script's intended actions.
 63- Check the user account associated with the script execution to determine if the activity is expected for that user or if it indicates a compromised account.
 64- Correlate the timing of the script creation and execution events to see if they fall within a suspicious timeframe, such as outside of normal working hours.
 65- Look for any additional related alerts or logs on the host that might indicate further malicious activity or lateral movement following the script execution.
 66
 67### False positive analysis
 68
 69- Legitimate script automation tools may trigger this rule if they download and execute scripts from the internet. Users can create exceptions for known safe tools by excluding specific file paths or process names.
 70- Software updates or installations that download scripts as part of their process might be flagged. To handle this, users can whitelist specific origin URLs or referrer URLs associated with trusted software vendors.
 71- Internal scripts distributed via corporate intranet sites could be misidentified as threats. Users should consider excluding scripts with known internal origin URLs or specific user IDs associated with IT operations.
 72- Browser extensions or plugins that automate tasks using scripts may cause false positives. Users can exclude these by identifying and excluding the specific browser process names or file extensions involved.
 73- Frequent use of file utilities like winrar or 7zFM for legitimate script handling can be excluded by specifying trusted file paths or user IDs that regularly perform these actions.
 74
 75### Response and remediation
 76
 77- Isolate the affected system from the network to prevent further execution of potentially malicious scripts and lateral movement.
 78- Terminate any suspicious processes identified in the alert, such as wscript.exe or mshta.exe, to stop the execution of the downloaded script.
 79- Quarantine the downloaded script file and any associated files to prevent further execution and facilitate forensic analysis.
 80- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or remnants.
 81- Review and analyze the origin URL and referrer URL of the downloaded script to identify potential malicious websites or compromised sources, and block these URLs at the network level.
 82- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 83- Implement application whitelisting to restrict the execution of unauthorized scripts and scripting utilities, reducing the risk of similar threats in the future."""
 84
 85
 86[[rule.threat]]
 87framework = "MITRE ATT&CK"
 88
 89[[rule.threat.technique]]
 90id = "T1059"
 91name = "Command and Scripting Interpreter"
 92reference = "https://attack.mitre.org/techniques/T1059/"
 93
 94[[rule.threat.technique.subtechnique]]
 95id = "T1059.005"
 96name = "Visual Basic"
 97reference = "https://attack.mitre.org/techniques/T1059/005/"
 98
 99[[rule.threat.technique.subtechnique]]
100id = "T1059.007"
101name = "JavaScript"
102reference = "https://attack.mitre.org/techniques/T1059/007/"
103
104[[rule.threat.technique.subtechnique]]
105id = "T1059.003"
106name = "Windows Command Shell"
107reference = "https://attack.mitre.org/techniques/T1059/003/"
108
109[rule.threat.tactic]
110id = "TA0002"
111name = "Execution"
112reference = "https://attack.mitre.org/tactics/TA0002/"
113
114
115[[rule.threat]]
116framework = "MITRE ATT&CK"
117[[rule.threat.technique]]
118id = "T1218"
119name = "System Binary Proxy Execution"
120reference = "https://attack.mitre.org/techniques/T1218/"
121[[rule.threat.technique.subtechnique]]
122id = "T1218.005"
123name = "Mshta"
124reference = "https://attack.mitre.org/techniques/T1218/005/"
125
126
127
128[rule.threat.tactic]
129id = "TA0005"
130name = "Defense Evasion"
131reference = "https://attack.mitre.org/tactics/TA0005/"