Attack Chain

1. A user (unknowingly or through social engineering) executes a malicious script.
2. The malicious script is interpreted by either wscript.exe or cscript.exe.
3. The script executes a LOLBIN such as regsvr32.exe, rundll32.exe, winhlp32.exe, certutil.exe, msbuild.exe, cmd.exe, powershell.exe, pwsh.exe, wmic.exe, or mshta.exe.
4. The LOLBIN executes further commands or downloads additional payloads. Certutil.exe may be used to decode and install malicious binaries.
5. The attacker gains control over the compromised system.
6. The attacker uses the compromised system as a pivot for lateral movement.
7. The attacker attempts to escalate privileges and establish persistence.
8. The attacker may exfiltrate data or deploy ransomware.

Impact

Successful exploitation can lead to complete system compromise, data theft, and potential ransomware deployment. Organizations across various sectors are vulnerable, as this technique is commonly used by both commodity malware and advanced persistent threat (APT) groups. The WhisperGate malware targeting Ukrainian organizations in 2022 demonstrated the destructive potential of this technique.

Recommendation

• Enable Sysmon process creation logging (Event ID 1) and Windows Event Log Security Auditing (4688) to capture process execution events necessary for the provided rules.
• Deploy the Sigma rule Suspicious Child Processes Spawned by WScript or CScript to your SIEM to detect suspicious child processes. Tune the rule based on your environment’s baseline activity, filtering out any legitimate use cases.
• Investigate any alerts generated by this rule, focusing on the parent and child processes involved and the commands executed.
• Monitor endpoint logs for unusual or unexpected process executions originating from WScript or CScript.
• Block execution of the LOLBINs (regsvr32.exe, rundll32.exe, winhlp32.exe, certutil.exe, msbuild.exe, cmd.exe, powershell.exe, pwsh.exe, wmic.exe, or mshta.exe) if they are not required in your environment.