Script Interpreter Execution From Suspicious Folder

Severity: high
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects a suspicious script execution in temporary folders or folders accessible by environment variables

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059` Command and Scripting Interpreter

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `1 of selection_proc_image`

or:
Image|endswith: '\cscript.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\wscript.exe'

Stage 2: `1 of selection_proc_flags`

or:
CommandLine|contains: ' -ExecutionPolicy bypass '
CommandLine|contains: ' -ep bypass '
CommandLine|contains: ' -w hidden '
CommandLine|contains: '/e:Jscript '
CommandLine|contains: '/e:javascript '
CommandLine|contains: '/e:vbscript '

Stage 3: `1 of selection_proc_original`

OriginalFileName: [cscript.exe, mshta.exe, wscript.exe]

Stage 4: `1 of selection_folders_1`

or:
CommandLine|contains: ':\Perflogs\'
CommandLine|contains: ':\Users\Public\'
CommandLine|contains: '\AppData\Local\Temp'
CommandLine|contains: '\AppData\Roaming\Temp'
CommandLine|contains: '\Temporary Internet'
CommandLine|contains: '\Windows\Temp'

Stage 5: `1 of selection_folders_2`

or:
CommandLine|contains: ':\Users\'
CommandLine|contains: '\Contacts\'
CommandLine|contains: ':\Users\'
CommandLine|contains: '\Favorites\'
CommandLine|contains: ':\Users\'
CommandLine|contains: '\Favourites\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`-ExecutionPolicy bypass` `-ep bypass` `-w hidden` corpus 3 (sigma 3) `/e:Jscript` `/e:javascript` `/e:vbscript` `:\Perflogs\` corpus 4 (sigma 4) `:\Users\` corpus 6 (sigma 6) `:\Users\Public\` corpus 14 (sigma 14) `\AppData\Local\Temp` corpus 8 (sigma 8) `\AppData\Roaming\Temp` corpus 2 (sigma 2) `\Contacts\` corpus 6 (sigma 6) `\Favorites\` corpus 6 (sigma 6) `\Favourites\` corpus 6 (sigma 6) `\Temporary Internet` corpus 6 (sigma 6) `\Windows\Temp` corpus 2 (sigma 2)
`Image`	ends_with	`\cscript.exe` corpus 64 (sigma 64) `\mshta.exe` corpus 57 (sigma 57) `\wscript.exe` corpus 64 (sigma 64)
`OriginalFileName`	eq	`cscript.exe` corpus 15 (sigma 15) `mshta.exe` corpus 6 (sigma 6) `wscript.exe` corpus 15 (sigma 15)

Script Interpreter Execution From Suspicious Folder

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: 1 of selection_proc_image

Stage 2: 1 of selection_proc_flags

Stage 3: 1 of selection_proc_original