Detection rules › Sigma
Cscript/Wscript Potentially Suspicious Child Process
Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: selection_parent
or:
ParentImage|endswith: '\cscript.exe'
ParentImage|endswith: '\wscript.exe'
Stage 2: selection_cli_standalone
Image|endswith: '\rundll32.exe'
Stage 3: selection_cli_script_main
or:
Image|endswith: '\cmd.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
Stage 4: 1 of selection_cli_script_option_mshta
CommandLine|contains: http
CommandLine|contains: mshta
Stage 5: 1 of selection_cli_script_option_other
or:
CommandLine|contains: msiexec
CommandLine|contains: regsvr32
CommandLine|contains: rundll32
Stage 6: not 1 of filter_main_rundll32_known_exports
or:
CommandLine|contains: ClearMyTracksByProcess
CommandLine|contains: PrintUIEntry
CommandLine|contains: UpdatePerUserSystemParameters
Image|endswith: '\rundll32.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
ParentImage | ends_with |
|