Detection rules › Sigma

Cscript/Wscript Potentially Suspicious Child Process

Status
test
Severity
medium
Author
Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')
Source
github.com/SigmaHQ/sigma

Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.

Event coverage

Rule body yaml

title: Cscript/Wscript Potentially Suspicious Child Process
id: b6676963-0353-4f88-90f5-36c20d443c6a
status: test
description: |
    Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.
    Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
references:
    - Internal Research
    - https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_30.10.2023.txt
    - https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_22.12.2023.txt
author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')
date: 2023-05-15
modified: 2024-01-02
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
    selection_cli_script_main:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    # Note: Add other combinations that are suspicious
    selection_cli_script_option_mshta:
        CommandLine|contains|all:
            - 'mshta'
            - 'http'
    selection_cli_script_option_other:
        CommandLine|contains:
            - 'rundll32'
            - 'regsvr32'
            - 'msiexec'
    selection_cli_standalone:
        Image|endswith: '\rundll32.exe'
    filter_main_rundll32_known_exports:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains:
            - 'UpdatePerUserSystemParameters'
            - 'PrintUIEntry'
            - 'ClearMyTracksByProcess'
    condition: selection_parent and ( selection_cli_standalone or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and not 1 of filter_main_*
falsepositives:
    - Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly.
level: medium

Stages and Predicates

Stage 0: condition

selection_parent and ( selection_cli_standalone or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and not 1 of filter_main_*

Stage 1: selection_parent

selection_parent:
    ParentImage|endswith:
        - '\wscript.exe'
        - '\cscript.exe'

Stage 2: selection_cli_standalone

selection_cli_standalone:
    Image|endswith: '\rundll32.exe'

Stage 3: selection_cli_script_main

selection_cli_script_main:
    Image|endswith:
        - '\cmd.exe'
        - '\powershell.exe'
        - '\pwsh.exe'

Stage 4: selection_cli_script_option_mshta

selection_cli_script_option_mshta:
    CommandLine|contains|all:
        - 'mshta'
        - 'http'

Stage 5: selection_cli_script_option_other

selection_cli_script_option_other:
    CommandLine|contains:
        - 'rundll32'
        - 'regsvr32'
        - 'msiexec'

Stage 6: not filter_main_rundll32_known_exports

filter_main_rundll32_known_exports:
    Image|endswith: '\rundll32.exe'
    CommandLine|contains:
        - 'UpdatePerUserSystemParameters'
        - 'PrintUIEntry'
        - 'ClearMyTracksByProcess'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

StageFieldKindExcluded values
6CommandLinematchClearMyTracksByProcess
6CommandLinematchPrintUIEntry
6CommandLinematchUpdatePerUserSystemParameters
6Imageends_with\rundll32.exe

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • http corpus 38 (sigma 34, chronicle 2, elastic 1, splunk 1)
  • mshta corpus 14 (sigma 14)
  • msiexec corpus 6 (sigma 6)
  • regsvr32 corpus 15 (sigma 15)
  • rundll32 corpus 26 (sigma 23, chronicle 2, kusto 1)
Imageends_with
  • \cmd.exe corpus 134 (sigma 134)
  • \powershell.exe corpus 186 (sigma 186)
  • \pwsh.exe corpus 172 (sigma 172)
  • \rundll32.exe corpus 103 (sigma 103)
ParentImageends_with
  • \cscript.exe corpus 18 (sigma 18)
  • \wscript.exe corpus 20 (sigma 20)