Suspicious Child Processes Spawned by WScript or CScript

This detection identifies suspicious child processes spawned by Windows Script Host (WScript) or CScript. Adversaries commonly leverage WScript and CScript to execute malicious scripts, LOLBINs (Living Off The Land Binaries), and PowerShell, or inject code into suspended processes as a form of defense evasion. While some legitimate scripts may utilize tools detected by this analytic, it serves as a valuable indicator that a script may be executing suspicious code. Notably, the WhisperGate malware and campaigns by FIN7 have employed similar techniques. This activity has been observed since at least 2022, and continues to be relevant for defenders.

Attack Chain

1. A user (unknowingly or through social engineering) executes a malicious script.
2. The malicious script is interpreted by either wscript.exe or cscript.exe.
3. The script executes a LOLBIN such as regsvr32.exe, rundll32.exe, winhlp32.exe, certutil.exe, msbuild.exe, cmd.exe, powershell.exe, pwsh.exe, wmic.exe, or mshta.exe.
4. The LOLBIN executes further commands or downloads additional payloads. Certutil.exe may be used to decode and install malicious binaries.
5. The attacker gains control over the compromised system.
6. The attacker uses the compromised system as a pivot for lateral movement.
7. The attacker attempts to escalate privileges and establish persistence.
8. The attacker may exfiltrate data or deploy ransomware.

Impact

Successful exploitation can lead to complete system compromise, data theft, and potential ransomware deployment. Organizations across various sectors are vulnerable, as this technique is commonly used by both commodity malware and advanced persistent threat (APT) groups. The WhisperGate malware targeting Ukrainian organizations in 2022 demonstrated the destructive potential of this technique.

Recommendation

• Enable Sysmon process creation logging (Event ID 1) and Windows Event Log Security Auditing (4688) to capture process execution events necessary for the provided rules.
• Deploy the Sigma rule Suspicious Child Processes Spawned by WScript or CScript to your SIEM to detect suspicious child processes. Tune the rule based on your environment’s baseline activity, filtering out any legitimate use cases.
• Investigate any alerts generated by this rule, focusing on the parent and child processes involved and the commands executed.
• Monitor endpoint logs for unusual or unexpected process executions originating from WScript or CScript.
• Block execution of the LOLBINs (regsvr32.exe, rundll32.exe, winhlp32.exe, certutil.exe, msbuild.exe, cmd.exe, powershell.exe, pwsh.exe, wmic.exe, or mshta.exe) if they are not required in your environment.