Csc.EXE Execution Form Potentially Suspicious Parent

Severity: high
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
Source: upstream

Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059.005` Command and Scripting Interpreter: Visual Basic, `T1059.007` Command and Scripting Interpreter: JavaScript
Defense Evasion	`T1027.004` Obfuscated Files or Information: Compile After Delivery, `T1218.005` System Binary Proxy Execution: Mshta

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `selection_img`

or:
Image|endswith: '\csc.exe'
OriginalFileName: csc.exe

Stage 2: `1 of selection_parent_generic`

or:
ParentImage|endswith: '\cscript.exe'
ParentImage|endswith: '\excel.exe'
ParentImage|endswith: '\mshta.exe'
ParentImage|endswith: '\onenote.exe'
ParentImage|endswith: '\outlook.exe'
ParentImage|endswith: '\powerpnt.exe'
ParentImage|endswith: '\winword.exe'
ParentImage|endswith: '\wscript.exe'

Stage 3: `1 of selection_parent_powershell`

or:
ParentCommandLine|contains: '-Encoded '
ParentCommandLine|contains: FromBase64String
or:
ParentImage|endswith: '\powershell.exe'
ParentImage|endswith: '\pwsh.exe'

Stage 4: `1 of selection_parent_susp_location`

or:
ParentCommandLine|contains: ':\Users\'
ParentCommandLine|contains: '\Contacts\'
ParentCommandLine|contains: ':\Users\'
ParentCommandLine|contains: '\Favorites\'
ParentCommandLine|contains: ':\Users\'
ParentCommandLine|contains: '\Favourites\'
ParentCommandLine|contains: ':\Users\'
ParentCommandLine|contains: '\Pictures\'
ParentCommandLine|contains: ':\PerfLogs\'
ParentCommandLine|contains: ':\Users\Public\'
ParentCommandLine|contains: ':\Windows\Temp\'
ParentCommandLine|contains: '\Temporary Internet'
ParentCommandLine|re: '([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'

Stage 5: `not 1 of filter_main_*`

or:
ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe'
ParentImage: 'C:\Windows\System32\sdiagnhost.exe'
ParentImage|startswith: 'C:\Program Files (x86)\'
ParentImage|startswith: 'C:\Program Files\'

Stage 6: `not 1 of filter_optional_*`

or:
ParentCommandLine|contains: 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
ParentCommandLine|contains: 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
ParentCommandLine|contains: 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
ParentImage: 'C:\ProgramData\chocolatey\choco.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\csc.exe` corpus 5 (sigma 5)
`OriginalFileName`	eq	`csc.exe`
`ParentCommandLine`	match	`-Encoded` `:\PerfLogs\` `:\Users\` corpus 3 (sigma 3) `:\Users\Public\` corpus 2 (sigma 2) `:\Windows\Temp\` corpus 2 (sigma 2) `FromBase64String` `JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw` corpus 2 (sigma 2) `\Contacts\` corpus 2 (sigma 2) `\Favorites\` corpus 2 (sigma 2) `\Favourites\` corpus 2 (sigma 2) `\Pictures\` `\ProgramData\Microsoft\Windows Defender Advanced Threat Protection` corpus 2 (sigma 2) `\Temporary Internet` corpus 2 (sigma 2) `cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA` corpus 2 (sigma 2) `nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA` corpus 2 (sigma 2)
`ParentCommandLine`	regex_match	`([Pp]rogram[Dd]ata\|%([Ll]ocal)?[Aa]pp[Dd]ata%\|\\[Aa]pp[Dd]ata\\([Ll]ocal([Ll]ow)?\|[Rr]oaming))\\[^\\]{1,256}$`
`ParentImage`	ends_with	`\cscript.exe` corpus 14 (sigma 14) `\excel.exe` corpus 2 (sigma 2) `\mshta.exe` corpus 10 (sigma 10) `\onenote.exe` corpus 3 (sigma 3) `\outlook.exe` corpus 4 (sigma 4) `\powerpnt.exe` `\powershell.exe` corpus 16 (sigma 16) `\pwsh.exe` corpus 16 (sigma 16) `\winword.exe` `\wscript.exe` corpus 14 (sigma 14)
`ParentImage`	eq	`C:\ProgramData\chocolatey\choco.exe` corpus 2 (sigma 2) `C:\Windows\System32\inetsrv\w3wp.exe` corpus 2 (sigma 2) `C:\Windows\System32\sdiagnhost.exe` corpus 2 (sigma 2)
`ParentImage`	starts_with	`C:\Program Files (x86)\` corpus 2 (sigma 2) `C:\Program Files\` corpus 2 (sigma 2)

Csc.EXE Execution Form Potentially Suspicious Parent

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: selection_img

Stage 2: 1 of selection_parent_generic

Stage 3: 1 of selection_parent_powershell

Stage 4: 1 of selection_parent_susp_location

Stage 5: not 1 of filter_main_*