Suspicious PowerShell Execution via Windows Scripts

edit

Suspicious PowerShell Execution via Windows Scripts

edit

Identifies suspicious PowerShell execution spawning from Windows Script Host processes (cscript or wscript.exe).

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-windows.*
  • logs-system.security*
  • logs-windows.sysmon_operational-*
  • logs-sentinel_one_cloud_funnel.*
  • logs-m365_defender.event-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Execution
  • Data Source: System
  • Data Source: Sysmon
  • Data Source: SentinelOne
  • Data Source: Microsoft Defender for Endpoint

Version: 101

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process where host.os.type == "windows" and event.action == "start" and
  process.name : ("powershell.exe", "pwsh.exe") and
  process.parent.name : ("wscript.exe", "cscript.exe", "mshta.exe") and
   (
   process.args_count == 1 or
   process.command_line :
             ("*^*^*^*^*^*^*^*^*^*",
              "*''*''*''*",
              "*`*`*`*`*",
              "*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*",
              "*+*+*+*+*+*",
              "*$*$*$*$*",
              "*[char[]](*)*-join",
              "*Base64String*",
              "*[*Convert]*",
              "*.Text.Encoding*",
              "*.Compression.*",
              "*.replace(*",
              "*MemoryStream*",
              "*WriteAllBytes*",
              "* -en* *",
              "* -ec *",
              "* -e *",
              "* -ep *",
              "* /e *",
              "* /en* *",
              "* /ec *",
              "* /ep *",
              "*WebClient*",
              "*DownloadFile*",
              "*DownloadString*",
              "*BitsTransfer*",
              "*Invoke-Exp*",
              "*invoke-web*",
              "*iex*",
              "*iwr*",
              "*Reflection.Assembly*",
              "*Assembly.GetType*",
              "*.Sockets.*",
              "*Add-MpPreference*ExclusionPath*",
              "*raw.githubusercontent*")
   ) and

   /* many legit powershell commands uses those non shortened execution flags excluding Sync-AppvPublishingServer lolbas */
   not (process.args : ("-EncodedCommand", "Import-Module*", "-NonInteractive") and
        process.args : "-ExecutionPolicy" and not process.args : "Sync-AppvPublishingServer") and

   /* third party installation related FPs */
   not ?process.parent.args : "?:\\Windows\\system32\\gatherNetworkInfo.vbs" and
   not (?process.parent.args : "Microsoft.SystemCenter.ICMPProbe.WithConsecutiveSamples.vbs" and process.args : "Get-SCOMAgent") and
   not (process.command_line : "*WEBLOGIC_ARGS_CURRENT_1.DATA*" and ?process.parent.command_line : "*Impact360*") and
   not process.args :  "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers;*" and
   not process.command_line : ("*.Access.IdentityReference*win32_SID.SID*", "*AGIAbQB4AC0AYQBwAC4AcwAzAC4AdQBzAC0AZQBhAHMAd*") and
   not (?process.parent.args : "?:\\Users\\Prestige\\AppData\\Local\\Temp\\Rar$*\\KMS_VL_ALL_AIO.cmd  -elevated" and process.command_line : "*KMS_VL_ALL_AIO.cmd*") and
   not process.args : "iwr https://*.s3.us-east-1.amazonaws.com/scripts/Start-SpeedTest.ps1 -UserAgent * -UseBasicParsing | invoke-expression" and
   not (process.parent.name : "wscript.exe" and
        ?process.parent.args : "C:\\Program Files (x86)\\Telivy\\Telivy Agent\\telivy.js")

Framework: MITRE ATT&CKTM