Detection rules › Kusto Query Language
Office Apps Launching Wscipt
This query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated. Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command-and-control (C2) operations. Trickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using wscript.exe to perform a variety of malicious tasks, particularly reconnaissance. The following query detects when Office applications have launched wscript.exe to run a JSE file. See Detect rundll.exe being used for reconnaissance and command-and-control for another query related to Trickbot activity. Reference - https://attack.mitre.org/software/S0266/
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059 Command and Scripting Interpreter, T1203 Exploitation for Client Execution |
| Command & Control | T1105 Ingress Tool Transfer |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
| Defender-DeviceProcessEvents | 9001000 | Process activity (any) |
Stages and Predicates
Stage 1: source
DeviceProcessEvents
Stage 2: where
InitiatingProcessFileName in ["excel.exe", "outlook.exe", "winword.exe"]
Stage 3: where
and
FileName eq "wscript.exe"
ProcessCommandLine match ".jse"
Stage 4: extend
Stage 5: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
FileName | eq |
|
InitiatingProcessFileName | in |
|
ProcessCommandLine | match |
|