valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6fdfa69789
atomic-threat-coverage/Atomic_Threat_Coverage/Detection_Rules/win_susp_script_execution.md
sn0w0tter fbcac39414 URL to subtechniques fixed
2020-10-07 00:26:25 +02:00

5.7 KiB
Raw Blame History

Title WSF/JSE/JS/VBA/VBE File Execution
Description Detects suspicious file execution by wscript and cscript
ATT&CK Tactic
ATT&CK Technique
Data Needed
Trigger
Severity Level medium
False Positives
  • Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.
Development Status experimental
References There are no documented References for this Detection Rule yet
Author Michael Haag

Detection Rules

Sigma rule

title: WSF/JSE/JS/VBA/VBE File Execution
id: 1e33157c-53b1-41ad-bbcc-780b80b58288
status: experimental
description: Detects suspicious file execution by wscript and cscript
author: Michael Haag
date: 2019/01/16
modified: 2020/08/28
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1064      # an old one     
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
        CommandLine|contains:
            - '.jse'
            - '.vbe'
            - '.js'
            - '.vba'
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.
level: medium

powershell

Get-WinEvent | where {(($_.message -match "Image.*.*\\\\wscript.exe" -or $_.message -match "Image.*.*\\\\cscript.exe") -and ($_.message -match "CommandLine.*.*.jse.*" -or $_.message -match "CommandLine.*.*.vbe.*" -or $_.message -match "CommandLine.*.*.js.*" -or $_.message -match "CommandLine.*.*.vba.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

es-qs

(winlog.event_data.Image.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND winlog.event_data.CommandLine.keyword:(*.jse* OR *.vbe* OR *.js* OR *.vba*))

xpack-watcher

curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/1e33157c-53b1-41ad-bbcc-780b80b58288 <<EOF\n{\n  "metadata": {\n    "title": "WSF/JSE/JS/VBA/VBE File Execution",\n    "description": "Detects suspicious file execution by wscript and cscript",\n    "tags": [\n      "attack.execution",\n      "attack.t1059.005",\n      "attack.t1059.007",\n      "attack.t1064"\n    ],\n    "query": "(winlog.event_data.Image.keyword:(*\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe) AND winlog.event_data.CommandLine.keyword:(*.jse* OR *.vbe* OR *.js* OR *.vba*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(winlog.event_data.Image.keyword:(*\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe) AND winlog.event_data.CommandLine.keyword:(*.jse* OR *.vbe* OR *.js* OR *.vba*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": [\n          "winlogbeat-*"\n        ]\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "throttle_period": "15m",\n      "email": {\n        "profile": "standard",\n        "from": "root@localhost",\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'WSF/JSE/JS/VBA/VBE File Execution\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n

graylog

(Image.keyword:(*\\\\wscript.exe *\\\\cscript.exe) AND CommandLine.keyword:(*.jse* *.vbe* *.js* *.vba*))

splunk

((Image="*\\\\wscript.exe" OR Image="*\\\\cscript.exe") (CommandLine="*.jse*" OR CommandLine="*.vbe*" OR CommandLine="*.js*" OR CommandLine="*.vba*")) | table CommandLine,ParentCommandLine

logpoint

(Image IN ["*\\\\wscript.exe", "*\\\\cscript.exe"] CommandLine IN ["*.jse*", "*.vbe*", "*.js*", "*.vba*"])

grep

grep -P '^(?:.*(?=.*(?:.*.*\\wscript\\.exe|.*.*\\cscript\\.exe))(?=.*(?:.*.*\\.jse.*|.*.*\\.vbe.*|.*.*\\.js.*|.*.*\\.vba.*)))'