{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/cmd/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Windows Script Host","MSHTA","PowerShell","PowerShell ISE","Cmd","Elastic Endgame","SentinelOne Cloud Funnel","SUR QUEENCREEK"],"_cs_severities":["high"],"_cs_tags":["execution","scripting","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Intel","Crowdstrike","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies instances where PowerShell, PowerShell ISE, or the command interpreter (cmd.exe) are launched from Windows Script Host (wscript.exe) or MSHTA (mshta.exe). These scripting hosts are often leveraged by attackers to execute malicious commands or scripts, bypassing traditional execution controls. The rule aims to detect this behavior by monitoring process creation events, focusing on the parent-child relationship between wscript/mshta and the command interpreters. Legitimate uses, such as specific Intel tasks and auditpol.exe executions, are excluded from the detection logic to reduce false positives. This technique is frequently used in initial access and execution phases of attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., via phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses Windows Script Host (wscript.exe) or MSHTA (mshta.exe) to execute a malicious script.\u003c/li\u003e\n\u003cli\u003eThe script is designed to launch PowerShell (powershell.exe, pwsh.exe, powershell_ise.exe) or the command interpreter (cmd.exe).\u003c/li\u003e\n\u003cli\u003eThe PowerShell or cmd.exe process executes commands to download or stage further payloads.\u003c/li\u003e\n\u003cli\u003eThe downloaded payloads could be malware, scripts, or configuration files needed for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the staged payloads to establish persistence or escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network to reach valuable targets.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to exfiltrate data, deploy ransomware, or achieve other malicious objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, data exfiltration, ransomware deployment, and disruption of business operations. If attackers successfully use scripting hosts to launch command interpreters, they can bypass security controls and execute arbitrary code. The potential victim count is high, as this technique can be applied across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePowerShell or Cmd Execution via Windows Script Host\u003c/code\u003e to your SIEM and tune for your environment to detect potential abuse of scripting interpreters.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for instances of \u003ccode\u003ewscript.exe\u003c/code\u003e or \u003ccode\u003emshta.exe\u003c/code\u003e spawning \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, \u003ccode\u003epowershell_ise.exe\u003c/code\u003e, or \u003ccode\u003ecmd.exe\u003c/code\u003e as described in the rule\u0026rsquo;s detection logic.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to activate the rule \u003ccode\u003ePowerShell or Cmd Execution via Windows Script Host\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule \u003ccode\u003ePowerShell or Cmd Execution via Windows Script Host\u003c/code\u003e, focusing on the command line arguments and the parent process details.\u003c/li\u003e\n\u003cli\u003eConsider restricting the use of \u003ccode\u003emshta.exe\u003c/code\u003e and Windows Script Host if they are not required for legitimate business operations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-14T12:00:00Z","date_published":"2024-11-14T12:00:00Z","id":"/briefs/2024-11-winscript-interpreter/","summary":"This rule detects the execution of PowerShell, PowerShell ISE, or Cmd spawned from Windows Script Host or MSHTA, indicating potential abuse of scripting interpreters to execute malicious commands or scripts on Windows systems.","title":"Command and Scripting Interpreter via Windows Scripts","url":"https://feed.craftedsignal.io/briefs/2024-11-winscript-interpreter/"}],"language":"en","title":"CraftedSignal Threat Feed — Cmd","version":"https://jsonfeed.org/version/1.1"}