Script Interpreter Execution From Suspicious Folder
Detects suspicious script execution from suspicious directories or folders accessible by environment variables that may indicate malware activity. Script interpreters (cscript, wscript, mshta, powershell) executing from folders like Temp, Public, or user profile directories may suggest attempts to evade detection or execute malicious scripts.
Sigma rule (View on GitHub)
1title: Script Interpreter Execution From Suspicious Folder
2id: 1228c958-e64e-4e71-92ad-7d429f4138ba
3status: test
4description: |
5 Detects suspicious script execution from suspicious directories or folders accessible by environment variables that may indicate malware activity.
6 Script interpreters (cscript, wscript, mshta, powershell) executing from folders like Temp, Public, or user profile directories may suggest attempts to evade detection or execute malicious scripts.
7references:
8 - https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f
9 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military
10 - https://learn.microsoft.com/en-us/windows/win32/shell/csidl
11author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
12date: 2022-02-08
13modified: 2026-02-17
14tags:
15 - attack.execution
16 - attack.t1059
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_proc_image:
22 Image|endswith:
23 - '\cscript.exe'
24 - '\mshta.exe'
25 - '\wscript.exe'
26 selection_proc_flags:
27 CommandLine|contains:
28 - ' -ep bypass '
29 - ' -ExecutionPolicy bypass '
30 - ' -w hidden '
31 - '/e:javascript '
32 - '/e:Jscript '
33 - '/e:vbscript '
34 selection_proc_original:
35 OriginalFileName:
36 - 'cscript.exe'
37 - 'mshta.exe'
38 - 'wscript.exe'
39 selection_folders_1:
40 CommandLine|contains:
41 - ':\Perflogs\'
42 - ':\Users\Public\'
43 - '\%Public%'
44 - '\AppData\Local\Temp'
45 - '\AppData\Roaming\Temp'
46 - '\Temporary Internet'
47 - '\Windows\Temp'
48 - '\Start Menu\Programs\Startup\'
49 - '%TEMP%'
50 - '%TMP%'
51 - '%LocalAppData%\Temp'
52 selection_folders_2:
53 - CommandLine|contains|all:
54 - ':\Users\'
55 - '\Favorites\'
56 - CommandLine|contains|all:
57 - ':\Users\'
58 - '\Favourites\'
59 - CommandLine|contains|all:
60 - ':\Users\'
61 - '\Contacts\'
62 - CommandLine|contains|all:
63 - ':\Users\'
64 - '\Documents\'
65 - CommandLine|contains|all:
66 - ':\Users\'
67 - '\Music\'
68 - CommandLine|contains|all:
69 - ':\Users\'
70 - '\Pictures\'
71 - CommandLine|contains|all:
72 - ':\Users\'
73 - '\Videos\'
74 filter_optional_chocolatey_installer:
75 ParentImage:
76 - 'C:\Windows\System32\Msiexec.exe'
77 - 'C:\Windows\SysWOW64\Msiexec.exe'
78 Image|endswith: '\powershell.exe'
79 CommandLine|contains|all:
80 - '-NoProfile -ExecutionPolicy Bypass -Command'
81 - 'AppData\Local\Temp\'
82 - 'Install-Chocolatey.ps1'
83 condition: 1 of selection_proc_* and 1 of selection_folders_* and not 1 of filter_optional_*
84falsepositives:
85 - Various legitimate software have been observed to use similar techniques for installation or update purposes;thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
86level: high
References
Related rules
- BPFDoor Abnormal Process ID or Lock File Accessed
- Shai-Hulud Malware Indicators - Linux
- Shai-Hulud Malware Indicators - Windows
- Suspicious ArcSOC.exe Child Process
- Linux Suspicious Child Process from Node.js - React2Shell