Script Interpreter Execution From Suspicious Folder

 1title: Script Interpreter Execution From Suspicious Folder
 2id: 1228c958-e64e-4e71-92ad-7d429f4138ba
 3status: test
 4description: Detects a suspicious script execution in temporary folders or folders accessible by environment variables
 5references:
 6    - https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f
 7    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military
 8    - https://learn.microsoft.com/en-us/windows/win32/shell/csidl
 9author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
10date: 2022/02/08
11modified: 2023/06/16
12tags:
13    - attack.execution
14    - attack.t1059
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_proc_image:
20        Image|endswith:
21            - '\cscript.exe'
22            - '\mshta.exe'
23            - '\wscript.exe'
24    selection_proc_flags:
25        CommandLine|contains:
26            - ' -ep bypass '
27            - ' -ExecutionPolicy bypass '
28            - ' -w hidden '
29            - '/e:javascript '
30            - '/e:Jscript '
31            - '/e:vbscript '
32    selection_proc_original:
33        OriginalFileName:
34            - 'cscript.exe'
35            - 'mshta.exe'
36            - 'wscript.exe'
37    selection_folders_1:
38        CommandLine|contains:
39            - ':\Perflogs\'
40            - ':\Users\Public\'
41            - '\AppData\Local\Temp'
42            - '\AppData\Roaming\Temp'
43            - '\Temporary Internet'
44            - '\Windows\Temp'
45    selection_folders_2:
46        - CommandLine|contains|all:
47              - ':\Users\'
48              - '\Favorites\'
49        - CommandLine|contains|all:
50              - ':\Users\'
51              - '\Favourites\'
52        - CommandLine|contains|all:
53              - ':\Users\'
54              - '\Contacts\'
55    condition: 1 of selection_proc_* and 1 of selection_folders_*
56falsepositives:
57    - Unknown
58level: high

References

• VirusTotal

  VirusTotal

  
  Read More

• Shuckworm: Inside Russia’s Relentless Cyber Campaign Against Ukraine

  

  Attackers heavily focused on acquiring military and security intelligence in order to support invading forces.

  
  Read More

• CSIDL (Shlobj.h) - Win32 apps

  

  CSIDL (constant special item ID list) values provide a unique system-independent way to identify special folders used frequently by applications, but which may not have the same name or location on any given system.

  
  Read More

Related rules

• Abusable DLL Potential Sideloading From Suspicious Location
• Python Spawning Pretty TTY
• Suspicious Program Names
• Suspicious Remote Child Process From Outlook
• Turla Group Lateral Movement