Detecting the Office product spawning Windows Script Host

Rule added on 20th February, 2024

Prerequisite:

The rule requires Sysmon/auditing to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule flags suspicious activity when a Microsoft Office application (Word, Excel, PowerPoint, etc.) launches Windows Script Host (cscript.exe or wscript.exe). While Office can use scripts, directly launching WSH is uncommon and might indicate malicious macros or spearphishing attachments trying to execute hidden code.

Data source:

Windows: application log, file, process, script

Relevant MITRE ATT&CK techniques and tactics:

Criteria:

Process name ends with wscript.exe OR cscript.exe: This part identifies processes that are specifically wscript.exe or cscript.exe. These are executables used to run Windows Script Files (WSF) or command scripts (.bat, .cmd) respectively.

Parent Process name ends with: This specifies different parent processes that the rule considers suspicious.

When to enable this rule:

Enable this rule when the user wants to detect malicious macro execution or spearphishing attempts. This rule identifies suspicious activity where a Microsoft Office application (Word, Excel, PowerPoint, etc.) launches Windows Script Host (cscript.exe or wscript.exe). While Office can use scripts for legitimate purposes, directly launching WSH is uncommon and might indicate malicious code hidden within macros or attachments trying to execute undetected.

Compliance mapping (NIST, CIS):

Enabling this rule will help you comply with the below security standards' requirements:

NIST Cybersecurity Framework (CSF):

• DE.AE-1: Anomalies and Events - Detecting unusual activity that could indicate cybersecurity events, including non-standard parent-child process relationships.
• DE.CM-1: Monitoring Network and Physical Environments - Monitoring systems for signs of unauthorized access or anomalous behavior, such as unexpected parent processes.

CIS Control:

• Control 8 (Malware Defense): Preventing and defending against the execution of malicious code at multiple points in the enterprise, which includes monitoring for and responding to suspicious process spawning.
• Control 6 (Maintenance, Monitoring, and Analysis of Audit Logs): Collecting, managing, and analyzing audit logs to detect unusual activities and indications of potential security incidents, including logs that could signal unauthorized process spawning.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.