{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/script/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["initial-access","execution","windows","powershell","script"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies PowerShell execution initiated by Windows Script Host processes (cscript.exe or wscript.exe). Attackers often use Windows Script Host (WSH) to execute malicious scripts as an initial access method. These scripts can act as droppers for second-stage payloads or download tools and utilities necessary for further compromise. The rule focuses on the parent-child process relationship between WSH and PowerShell, highlighting a common technique used to bypass security controls and execute arbitrary commands on a compromised system. This activity is relevant to defenders as it represents a potential entry point for various attacks, including malware deployment and data exfiltration. The detection logic is based on process execution events observed in Windows environments and is designed to work with data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user receives a phishing email with a malicious attachment (e.g., a .vbs or .js file).\u003c/li\u003e\n\u003cli\u003eThe user opens the attachment, which is processed by either wscript.exe or cscript.exe.\u003c/li\u003e\n\u003cli\u003eThe scripting engine executes the embedded malicious code.\u003c/li\u003e\n\u003cli\u003eThe script downloads a PowerShell script from a remote server or contains an embedded, obfuscated PowerShell command.\u003c/li\u003e\n\u003cli\u003eThe script uses wscript.exe or cscript.exe to launch powershell.exe to execute the downloaded or embedded PowerShell script.\u003c/li\u003e\n\u003cli\u003ePowerShell executes, performing malicious actions such as downloading additional payloads, modifying system settings, or establishing persistence.\u003c/li\u003e\n\u003cli\u003ePowerShell attempts to connect to external command-and-control servers to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the system and can proceed with lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to initial access, allowing attackers to deploy malware, steal sensitive information, or perform other malicious activities. The impact can range from data breaches and financial losses to reputational damage. The severity depends on the attacker\u0026rsquo;s objectives and the level of access they gain. The number of affected systems depends on the scope of the phishing campaign or other initial access methods used to deliver the malicious script.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the necessary event data for the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate process execution chains where cscript.exe or wscript.exe spawn powershell.exe using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eImplement email security measures to block phishing emails with script attachments.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from PowerShell processes for suspicious outbound traffic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-script-powershell-execution/","summary":"Detection of PowerShell processes launched by cscript.exe or wscript.exe, indicative of potential malicious initial access or execution attempts.","title":"Suspicious PowerShell Execution via Windows Script Host","url":"https://feed.craftedsignal.io/briefs/2024-01-script-powershell-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["execution","script","temp"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies suspicious script executions originating from temporary directories. Threat actors often leverage temporary folders to stage and execute malicious scripts, such as PowerShell, VBScript, or even HTML applications (MSHTA) to evade detection or bypass security controls. These scripts can be delivered through various means, including phishing attacks, drive-by downloads, or as part of a multi-stage malware infection. The execution of scripts from temporary directories is generally uncommon for legitimate software, making it a valuable indicator of potentially malicious activity. This detection focuses on identifying processes like powershell.exe, pwsh.exe, mshta.exe, wscript.exe, and cscript.exe executing from or referencing standard temporary paths in their command line.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious script (e.g., PowerShell, VBScript) is downloaded or dropped into a temporary directory such as \u003ccode\u003eC:\\Windows\\Temp\u003c/code\u003e, \u003ccode\u003e\\AppData\\Local\\Temp\u003c/code\u003e, or similar.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a process like \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e to invoke the downloaded script.\u003c/li\u003e\n\u003cli\u003eThe script executes, potentially performing reconnaissance, privilege escalation, or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe script may download additional payloads from a remote server.\u003c/li\u003e\n\u003cli\u003eThe script establishes persistence through registry modification or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe script performs malicious actions such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to remove the initial script files to cover their tracks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a range of consequences, including data theft, system compromise, and ransomware infection. The execution of malicious scripts from temporary directories can provide attackers with a foothold in the network, allowing them to move laterally, escalate privileges, and ultimately achieve their objectives. Depending on the script\u0026rsquo;s capabilities, it could also lead to system instability or denial of service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Script Execution From Temp Folder\u0026rdquo; to your SIEM to detect script execution from temporary directories. Tune the rule\u0026rsquo;s filters for known-good software installers in your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the necessary information for the Sigma rule (logsource: process_creation).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process and the script\u0026rsquo;s actions.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of scripts from temporary directories where possible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:30:00Z","date_published":"2024-01-02T14:30:00Z","id":"/briefs/2024-01-script-exec-temp/","summary":"This brief covers a detection for suspicious script execution, such as PowerShell, WScript, or MSHTA, originating from common temporary directories, potentially indicating malware activity.","title":"Suspicious Script Execution from Temporary Directory","url":"https://feed.craftedsignal.io/briefs/2024-01-script-exec-temp/"}],"language":"en","title":"CraftedSignal Threat Feed — Script","version":"https://jsonfeed.org/version/1.1"}