Command and Scripting Interpreter via Windows Scripts

This detection identifies instances where PowerShell, PowerShell ISE, or the command interpreter (cmd.exe) are launched from Windows Script Host (wscript.exe) or MSHTA (mshta.exe). These scripting hosts are often leveraged by attackers to execute malicious commands or scripts, bypassing traditional execution controls. The rule aims to detect this behavior by monitoring process creation events, focusing on the parent-child relationship between wscript/mshta and the command interpreters. Legitimate uses, such as specific Intel tasks and auditpol.exe executions, are excluded from the detection logic to reduce false positives. This technique is frequently used in initial access and execution phases of attacks.

Attack Chain

1. An attacker gains initial access to the system (e.g., via phishing or exploitation of a vulnerability).
2. The attacker uses Windows Script Host (wscript.exe) or MSHTA (mshta.exe) to execute a malicious script.
3. The script is designed to launch PowerShell (powershell.exe, pwsh.exe, powershell_ise.exe) or the command interpreter (cmd.exe).
4. The PowerShell or cmd.exe process executes commands to download or stage further payloads.
5. The downloaded payloads could be malware, scripts, or configuration files needed for lateral movement.
6. The attacker uses the staged payloads to establish persistence or escalate privileges.
7. The attacker moves laterally within the network to reach valuable targets.
8. The ultimate goal is to exfiltrate data, deploy ransomware, or achieve other malicious objectives.

Impact

Successful exploitation can lead to complete system compromise, data exfiltration, ransomware deployment, and disruption of business operations. If attackers successfully use scripting hosts to launch command interpreters, they can bypass security controls and execute arbitrary code. The potential victim count is high, as this technique can be applied across various sectors.

Recommendation

• Deploy the Sigma rule PowerShell or Cmd Execution via Windows Script Host to your SIEM and tune for your environment to detect potential abuse of scripting interpreters.
• Monitor process creation events for instances of wscript.exe or mshta.exe spawning powershell.exe, pwsh.exe, powershell_ise.exe, or cmd.exe as described in the rule’s detection logic.
• Enable Sysmon process creation logging to activate the rule PowerShell or Cmd Execution via Windows Script Host.
• Investigate any alerts generated by the rule PowerShell or Cmd Execution via Windows Script Host, focusing on the command line arguments and the parent process details.
• Consider restricting the use of mshta.exe and Windows Script Host if they are not required for legitimate business operations.