Excel spawning Windows Script Host

Rule added on 20th February, 2024

Prerequisite:

The rule requires Sysmon/auditing to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule identifies suspicious activity where Microsoft Excel launches Windows Script Host. While Excel can use scripts, launching WSH directly is uncommon and might indicate malicious macros or spearphishing attachments trying to execute hidden code.

Data source:

Windows: Network traffic, process, script, file

Relevant MITRE ATT&CK techniques and tactics:

Criteria:

Process name ends with cscript.exe: This condition identifies processes where the filename ends with "cscript.exe". Cscript.exe is the command-line interpreter for WSH and is used to execute scripts written in VBScript or JScript.

Process name ends with wscript.exe: This condition identifies processes where the filename ends with "wscript.exe". Wscript.exe is another WSH interpreter that provides a graphical user interface (GUI) for running scripts.

Parent process name ends with excel.exe: This condition checks if the parent process of the identified process (cscript.exe or wscript.exe) has a filename ending with "excel.exe".

When to enable this rule:

Enable this rule when the user wants to detect suspicious activity in documents or potential malware leveraging Microsoft Office macros. This correlation rule identifies processes where Microsoft Excel launches Windows Script Host (WSH). While Excel can use scripts, directly launching WSH is uncommon and might indicate malicious macros or spearphishing attachments trying to execute hidden code.

Compliance mapping (NIST, CIS):

Enabling this rule will help you comply with the below security standards' requirements:

NIST Cybersecurity Framework (CSF):

• DE.AE-1: Anomalies and Events - Detecting unusual activity that could indicate cybersecurity events, including non-standard parent-child process relationships.
• DE.CM-1: Monitoring Network and Physical Environments - Monitoring systems for signs of unauthorized access or anomalous behavior, such as unexpected parent processes.

CIS Control:

• Control 8 (Malware Defense): Preventing and defending against the execution of malicious code at multiple points in the enterprise, which includes monitoring for and responding to suspicious process spawning.
• Control 6 (Maintenance, Monitoring, and Analysis of Audit Logs): Collecting, managing, and analyzing audit logs to detect unusual activities and indications of potential security incidents, including logs that could signal unauthorized process spawning.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.