security-content/detections/cscript_via_cmd.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
asset_type: Endpoint
confidence: medium
creation_date: '2017-10-09'
data_metadata:
  data_models:
    - Endpoint
  data_source:
    - Endpoint Intel
  providing_technologies:
    - Carbon Black Response
    - CrowdStrike Falcon
    - Sysmon
    - Tanium
    - Ziften
description: This search looks for the execution of the cscript.exe or wscript.exe
  processes, with a parent of cmd.exe. The search will return the count, the first
  and last time this execution was seen on a machine, the user, and the destination
  of the machine
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: dest, process_name, parent_process
        rule_description: Potentially malicious script execution detected.
        rule_title: 'Command prompt is executing scripts on $dest$ using $process_name$ '
      risk:
        risk_object: dest
        risk_object_type:
          - system
        risk_score: 50
      schedule:
        cron_schedule: 0 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '| tstats `security_content_summariesonly` count values(Processes.process) min(_time)
        as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where
        Processes.parent_process="*cmd.exe" (Processes.process_name=cscript.exe OR
        Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name
        Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`'
      suppress:
        suppress_fields: dest, process_name
        suppress_period: 86400s
eli5: Attackers often leverage various scripting languages to execute their attacks.
  In a Windows environment, the Windows Script Host is the tool that interprets the
  scripts and is included in all modern versions of Windows. The Windows Script Host
  is available as a command-line tool called "cscript.exe" or "wscript.exe." To detect
  this behavior, the search looks for process-creation events for cscript.exe or wscript.exe
  with a parent process of cmd.exe. The search will return the count, the first and
  last times this behavior was seen on a destination machine, and user and process
  information.
entities:
  - dest
  - process_name
  - user
how_to_implement: To successfully implement this search, you must be ingesting data
  that records process activity from your hosts to populate the endpoint data model
  in the processes node. If you are using Sysmon, you must have at least version 6.0.4
  of the Sysmon TA.
id: b89919ed-fe5f-492c-b139-95dbb162039e
investigations:
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
    name: Get Authentication Logs For Endpoint
    type: splunk
  - id: fecf2918-670d-4f1c-872b-3d7317a41bf9
    name: Get Parent Process Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d55
    name: Get Risk Modifiers For User
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd71
    name: Get Process Info
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d65
    name: Get Risk Modifiers For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd22
    name: Investigate Web Activity From Host
    type: splunk
known_false_positives: Some legitimate applications may exhibit this behavior.
maintainers:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
mappings:
  cis20:
    - CIS 8
  kill_chain_phases:
    - Exploitation
  mitre_attack:
    - Execution
    - Command-Line Interface
  nist:
    - PR.PT
    - DE.CM
modification_date: '2018-11-02'
name: Detect Use of cmd.exe to Launch Script Interpreters
original_authors:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
references: []
security_domain: endpoint
spec_version: 2
type: splunk
version: '2.0'