Suspicious PowerShell Invocation From Script Engines

Hunt Hypothesis

Detects suspicious powershell invocations from interpreters or unusual programs

Detection Rule

Sigma (Original)

title: Suspicious PowerShell Invocation From Script Engines
id: 95eadcb2-92e4-4ed1-9031-92547773a6db
status: test
description: Detects suspicious powershell invocations from interpreters or unusual programs
references:
    - https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2023-01-05
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    filter_health_service:
        CurrentDirectory|contains: '\Health Service State\'
    condition: selection and not 1 of filter_*
falsepositives:
    - Microsoft Operations Manager (MOM)
    - Other scripts
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (((ParentProcessName endswith "\\wscript.exe" or ParentProcessName endswith "\\cscript.exe") or (ActingProcessName endswith "\\wscript.exe" or ActingProcessName endswith "\\cscript.exe")) and (TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe")) and (not(TargetProcessCurrentDirectory contains "\\Health Service State\\"))

Required Data Sources

False Positive Guidance

• Microsoft Operations Manager (MOM)
• Other scripts

MITRE ATT&CK Context

• Tactic: Execution
• Technique: T1059.001 — PowerShell

References

• https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
• SigmaHQ Rule