Detection rules › Sigma

Windows Shell/Scripting Processes Spawning Suspicious Programs

Status
test
Severity
high
Author
Florian Roth (Nextron Systems), Tim Shelton
Source
github.com/SigmaHQ/sigma

Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.

MITRE ATT&CK coverage

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation

Rule body yaml

title: Windows Shell/Scripting Processes Spawning Suspicious Programs
id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
status: test
description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
references:
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2018-04-06
modified: 2023-05-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.005
    - attack.t1059.001
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            # - '\cmd.exe'  # too many false positives
            - '\rundll32.exe'
            - '\cscript.exe'
            - '\wscript.exe'
            - '\wmiprvse.exe'
            - '\regsvr32.exe'
        Image|endswith:
            - '\schtasks.exe'
            - '\nslookup.exe'
            - '\certutil.exe'
            - '\bitsadmin.exe'
            - '\mshta.exe'
    filter_ccmcache:
        CurrentDirectory|contains: '\ccmcache\'
    filter_amazon:
        ParentCommandLine|contains:
            # FP - Amazon Workspaces
            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
            - '\nessus_' # Tenable/Nessus VA Scanner
    filter_nessus:
        CommandLine|contains: '\nessus_' # Tenable/Nessus VA Scanner
    filter_sccm_install:
        ParentImage|endswith: '\mshta.exe'
        Image|endswith: '\mshta.exe'
        ParentCommandLine|contains|all:
            - 'C:\MEM_Configmgr_'
            - '\splash.hta'
            - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
        CommandLine|contains|all:
            - 'C:\MEM_Configmgr_'
            - '\SMSSETUP\BIN\'
            - '\autorun.hta'
            - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
    condition: selection and not 1 of filter_*
falsepositives:
    - Administrative scripts
    - Microsoft SCCM
level: high

Stages and Predicates

Stage 0: condition

selection and not 1 of filter_*

Stage 1: selection

selection:
    ParentImage|endswith:
        - '\mshta.exe'
        - '\powershell.exe'
        - '\pwsh.exe'
        # - '\cmd.exe'  # too many false positives
        - '\rundll32.exe'
        - '\cscript.exe'
        - '\wscript.exe'
        - '\wmiprvse.exe'
        - '\regsvr32.exe'
    Image|endswith:
        - '\schtasks.exe'
        - '\nslookup.exe'
        - '\certutil.exe'
        - '\bitsadmin.exe'
        - '\mshta.exe'

Stage 2: not filter_*

filter_ccmcache:
    CurrentDirectory|contains: '\ccmcache\'
filter_amazon:
    ParentCommandLine|contains:
        # FP - Amazon Workspaces
        - '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
        - '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
        - '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
        - '\nessus_' # Tenable/Nessus VA Scanner
filter_nessus:
    CommandLine|contains: '\nessus_' # Tenable/Nessus VA Scanner
filter_sccm_install:
    ParentImage|endswith: '\mshta.exe'
    Image|endswith: '\mshta.exe'
    ParentCommandLine|contains|all:
        - 'C:\MEM_Configmgr_'
        - '\splash.hta'
        - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
    CommandLine|contains|all:
        - 'C:\MEM_Configmgr_'
        - '\SMSSETUP\BIN\'
        - '\autorun.hta'
        - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

StageFieldKindExcluded values
2CommandLinematchC:\MEM_Configmgr_
2CommandLinematch\SMSSETUP\BIN\
2CommandLinematch\autorun.hta
2CommandLinematch{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2Imageends_with\mshta.exe
2ParentCommandLinematchC:\MEM_Configmgr_
2ParentCommandLinematch\splash.hta
2ParentCommandLinematch{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2ParentImageends_with\mshta.exe
2CommandLinematch\nessus_
2CurrentDirectorymatch\ccmcache\
2ParentCommandLinematch\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1
2ParentCommandLinematch\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1
2ParentCommandLinematch\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1
2ParentCommandLinematch\nessus_

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \bitsadmin.exe corpus 29 (sigma 29)
  • \certutil.exe corpus 44 (sigma 44)
  • \mshta.exe corpus 69 (sigma 69)
  • \nslookup.exe corpus 5 (sigma 5)
  • \schtasks.exe corpus 57 (sigma 57)
ParentImageends_with
  • \cscript.exe corpus 18 (sigma 18)
  • \mshta.exe corpus 14 (sigma 14)
  • \powershell.exe corpus 25 (sigma 25)
  • \pwsh.exe corpus 22 (sigma 22)
  • \regsvr32.exe corpus 12 (sigma 12)
  • \rundll32.exe corpus 17 (sigma 17)
  • \wmiprvse.exe corpus 8 (sigma 8)
  • \wscript.exe corpus 20 (sigma 20)