Windows Shell/Scripting Processes Spawning Suspicious Programs

calendar Oct 18, 2023 · attack.execution attack.defense_evasion attack.t1059.005 attack.t1059.001 attack.t1218  ·
Share on: linkedin copy

Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.

Sigma rule (View on GitHub)

 1title: Windows Shell/Scripting Processes Spawning Suspicious Programs
 2id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
 3status: test
 4description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
 5references:
 6    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
 7author: Florian Roth (Nextron Systems), Tim Shelton
 8date: 2018/04/06
 9modified: 2023/05/23
10tags:
11    - attack.execution
12    - attack.defense_evasion
13    - attack.t1059.005
14    - attack.t1059.001
15    - attack.t1218
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        ParentImage|endswith:
22            - '\mshta.exe'
23            - '\powershell.exe'
24            - '\pwsh.exe'
25            # - '\cmd.exe'  # too many false positives
26            - '\rundll32.exe'
27            - '\cscript.exe'
28            - '\wscript.exe'
29            - '\wmiprvse.exe'
30            - '\regsvr32.exe'
31        Image|endswith:
32            - '\schtasks.exe'
33            - '\nslookup.exe'
34            - '\certutil.exe'
35            - '\bitsadmin.exe'
36            - '\mshta.exe'
37    filter_ccmcache:
38        CurrentDirectory|contains: '\ccmcache\'
39    filter_amazon:
40        ParentCommandLine|contains:
41            # FP - Amazon Workspaces
42            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
43            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
44            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
45            - '\nessus_' # Tenable/Nessus VA Scanner
46    filter_nessus:
47        CommandLine|contains: '\nessus_' # Tenable/Nessus VA Scanner
48    filter_sccm_install:
49        ParentImage|endswith: '\mshta.exe'
50        Image|endswith: '\mshta.exe'
51        ParentCommandLine|contains|all:
52            - 'C:\MEM_Configmgr_'
53            - '\splash.hta'
54            - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
55        CommandLine|contains|all:
56            - 'C:\MEM_Configmgr_'
57            - '\SMSSETUP\BIN\'
58            - '\autorun.hta'
59            - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
60    condition: selection and not 1 of filter_*
61fields:
62    - CommandLine
63    - ParentCommandLine
64    - CurrentDirectory
65    - Image
66    - ParentImage
67falsepositives:
68    - Administrative scripts
69    - Microsoft SCCM
70level: high

References

Related rules

to-top