Cscript/Wscript Potentially Suspicious Child Process
Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
Sigma rule (View on GitHub)
1title: Cscript/Wscript Potentially Suspicious Child Process
2id: b6676963-0353-4f88-90f5-36c20d443c6a
3status: experimental
4description: |
5 Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.
6 Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
7references:
8 - Internal Research
9 - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt
10 - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt
11author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')
12date: 2023-05-15
13modified: 2024-01-02
14tags:
15 - attack.execution
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_parent:
21 ParentImage|endswith:
22 - '\wscript.exe'
23 - '\cscript.exe'
24 selection_cli_script_main:
25 Image|endswith:
26 - '\cmd.exe'
27 - '\powershell.exe'
28 - '\pwsh.exe'
29 # Note: Add other combinations that are suspicious
30 selection_cli_script_option_mshta:
31 CommandLine|contains|all:
32 - 'mshta'
33 - 'http'
34 selection_cli_script_option_other:
35 CommandLine|contains:
36 - 'rundll32'
37 - 'regsvr32'
38 - 'msiexec'
39 selection_cli_standalone:
40 Image|endswith: '\rundll32.exe'
41 filter_main_rundll32_known_exports:
42 Image|endswith: '\rundll32.exe'
43 CommandLine|contains:
44 - 'UpdatePerUserSystemParameters'
45 - 'PrintUIEntry'
46 - 'ClearMyTracksByProcess'
47 condition: selection_parent and ( selection_cli_standalone or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and not 1 of filter_main_*
48falsepositives:
49 - Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly.
50level: medium
References
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change