Cscript/Wscript Potentially Suspicious Child Process

calendar Nov 1, 2024 · attack.execution  ·
Share on: linkedin copy

Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.

Sigma rule (View on GitHub)

 1title: Cscript/Wscript Potentially Suspicious Child Process
 2id: b6676963-0353-4f88-90f5-36c20d443c6a
 3status: test
 4description: |
 5    Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.
 6    Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.    
 7references:
 8    - Internal Research
 9    - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt
10    - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt
11author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')
12date: 2023-05-15
13modified: 2024-01-02
14tags:
15    - attack.execution
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_parent:
21        ParentImage|endswith:
22            - '\wscript.exe'
23            - '\cscript.exe'
24    selection_cli_script_main:
25        Image|endswith:
26            - '\cmd.exe'
27            - '\powershell.exe'
28            - '\pwsh.exe'
29    # Note: Add other combinations that are suspicious
30    selection_cli_script_option_mshta:
31        CommandLine|contains|all:
32            - 'mshta'
33            - 'http'
34    selection_cli_script_option_other:
35        CommandLine|contains:
36            - 'rundll32'
37            - 'regsvr32'
38            - 'msiexec'
39    selection_cli_standalone:
40        Image|endswith: '\rundll32.exe'
41    filter_main_rundll32_known_exports:
42        Image|endswith: '\rundll32.exe'
43        CommandLine|contains:
44            - 'UpdatePerUserSystemParameters'
45            - 'PrintUIEntry'
46            - 'ClearMyTracksByProcess'
47    condition: selection_parent and ( selection_cli_standalone or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and not 1 of filter_main_*
48falsepositives:
49    - Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly.
50level: medium

References

Related rules

to-top