The hypothesis is that the detection of Office applications launching a script may indicate the presence of Trickbot malware attempting to execute malicious payloads through legitimate Office processes. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate Trickbot infections early, as this technique is commonly used by the malware to evade detection and maintain persistence.
KQL Query
DeviceProcessEvents
| where InitiatingProcessFileName in~('winword.exe', 'excel.exe', 'outlook.exe')
| where FileName =~ "wscript.exe" and ProcessCommandLine has ".jse"
id: 1d438d7a-be4b-4bee-a116-fac9a2a621c7
name: office-apps-launching-wscipt
description: |
This query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated.
Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command-and-control (C2) operations.
Trickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using wscript.exe to perform a variety of malicious tasks, particularly reconnaissance.
The following query detects when Office applications have launched wscript.exe to run a JSE file.
See Detect rundll.exe being used for reconnaissance and command-and-control for another query related to Trickbot activity.
Reference - https://attack.mitre.org/software/S0266/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Lateral movement
- Collection
- Command and control
query: |
DeviceProcessEvents
| where InitiatingProcessFileName in~('winword.exe', 'excel.exe', 'outlook.exe')
| where FileName =~ "wscript.exe" and ProcessCommandLine has ".jse"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled Task for Microsoft Word Macro Execution
Description: A legitimate scheduled task runs a Word document with macros as part of an automated report generation process.
Filter/Exclusion: process.parent_process_name != "schtasks.exe" or process.name != "WINWORD.EXE"
Scenario: Admin Using PowerShell to Launch Word Document
Description: A system administrator uses PowerShell to open a Word document for editing, which triggers the detection due to the script execution.
Filter/Exclusion: process.parent_process_name != "powershell.exe" or process.name != "WINWORD.EXE"
Scenario: Office 365 Add-in Launching Word Document
Description: A legitimate Office 365 add-in opens a Word document as part of a collaboration workflow.
Filter/Exclusion: process.name != "WINWORD.EXE" or process.parent_process_name != "OUTLOOK.EXE"
Scenario: Windows Task Scheduler Running Word Macro
Description: A Windows Task Scheduler job is configured to run a Word macro for automated data processing.
Filter/Exclusion: process.parent_process_name != "taskhostw.exe" or process.name != "WINWORD.EXE"
Scenario: User Launching Word via Shortcut with Script
Description: A user clicks on a shortcut that launches Word and runs a script for document automation.
Filter/Exclusion: process.name != "WINWORD.EXE" or process.parent_process_name != "explorer.exe"