Suspicious PowerShell Execution via Windows Script Host

hello@craftedsignal.io — Wed, 03 Jan 2024 14:30:00 +0000

This detection identifies PowerShell execution initiated by Windows Script Host processes (cscript.exe or wscript.exe). Attackers often use Windows Script Host (WSH) to execute malicious scripts as an initial access method. These scripts can act as droppers for second-stage payloads or download tools and utilities necessary for further compromise. The rule focuses on the parent-child process relationship between WSH and PowerShell, highlighting a common technique used to bypass security controls and execute arbitrary commands on a compromised system. This activity is relevant to defenders as it represents a potential entry point for various attacks, including malware deployment and data exfiltration. The detection logic is based on process execution events observed in Windows environments and is designed to work with data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.

Attack Chain

The user receives a phishing email with a malicious attachment (e.g., a .vbs or .js file).
The user opens the attachment, which is processed by either wscript.exe or cscript.exe.
The scripting engine executes the embedded malicious code.
The script downloads a PowerShell script from a remote server or contains an embedded, obfuscated PowerShell command.
The script uses wscript.exe or cscript.exe to launch powershell.exe to execute the downloaded or embedded PowerShell script.
PowerShell executes, performing malicious actions such as downloading additional payloads, modifying system settings, or establishing persistence.
PowerShell attempts to connect to external command-and-control servers to receive further instructions.
The attacker gains initial access to the system and can proceed with lateral movement, data exfiltration, or other malicious activities.

Impact

Successful exploitation can lead to initial access, allowing attackers to deploy malware, steal sensitive information, or perform other malicious activities. The impact can range from data breaches and financial losses to reputational damage. The severity depends on the attacker’s objectives and the level of access they gain. The number of affected systems depends on the scope of the phishing campaign or other initial access methods used to deliver the malicious script.

Recommendation

Enable Sysmon process creation logging to capture the necessary event data for the rules below.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
Investigate process execution chains where cscript.exe or wscript.exe spawn powershell.exe using the provided Sigma rules.
Implement email security measures to block phishing emails with script attachments.
Monitor network connections originating from PowerShell processes for suspicious outbound traffic.

Suspicious Script Execution from Temporary Directory

hello@craftedsignal.io — Tue, 02 Jan 2024 14:30:00 +0000

This detection identifies suspicious script executions originating from temporary directories. Threat actors often leverage temporary folders to stage and execute malicious scripts, such as PowerShell, VBScript, or even HTML applications (MSHTA) to evade detection or bypass security controls. These scripts can be delivered through various means, including phishing attacks, drive-by downloads, or as part of a multi-stage malware infection. The execution of scripts from temporary directories is generally uncommon for legitimate software, making it a valuable indicator of potentially malicious activity. This detection focuses on identifying processes like powershell.exe, pwsh.exe, mshta.exe, wscript.exe, and cscript.exe executing from or referencing standard temporary paths in their command line.

Attack Chain

A malicious script (e.g., PowerShell, VBScript) is downloaded or dropped into a temporary directory such as C:\Windows\Temp, \AppData\Local\Temp, or similar.
The attacker uses a process like cmd.exe or powershell.exe to invoke the downloaded script.
The script executes, potentially performing reconnaissance, privilege escalation, or lateral movement.
The script may download additional payloads from a remote server.
The script establishes persistence through registry modification or scheduled tasks.
The script performs malicious actions such as data exfiltration or ransomware deployment.
The attacker attempts to remove the initial script files to cover their tracks.

Impact

Successful exploitation can lead to a range of consequences, including data theft, system compromise, and ransomware infection. The execution of malicious scripts from temporary directories can provide attackers with a foothold in the network, allowing them to move laterally, escalate privileges, and ultimately achieve their objectives. Depending on the script’s capabilities, it could also lead to system instability or denial of service.

Recommendation

Deploy the Sigma rule “Suspicious Script Execution From Temp Folder” to your SIEM to detect script execution from temporary directories. Tune the rule’s filters for known-good software installers in your environment to reduce false positives.
Enable process creation logging with command line arguments to capture the necessary information for the Sigma rule (logsource: process_creation).
Investigate any alerts generated by the Sigma rule, focusing on the parent process and the script’s actions.
Implement application control policies to restrict the execution of scripts from temporary directories where possible.

Script — CraftedSignal Threat Feed

Suspicious PowerShell Execution via Windows Script Host

Attack Chain

Impact

Recommendation

Suspicious Script Execution from Temporary Directory

Attack Chain

Impact

Recommendation