Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Office Apps Launching Wscipt

Office Apps Launching Wscipt

Back
Id174de33b-107b-4cd8-a85d-b4025a35453f
RulenameOffice Apps Launching Wscipt
DescriptionThis query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated.

Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command-and-control (C2) operations.

Trickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using wscript.exe to perform a variety of malicious tasks, particularly reconnaissance.

The following query detects when Office applications have launched wscript.exe to run a JSE file.

See Detect rundll.exe being used for reconnaissance and command-and-control for another query related to Trickbot activity.

Reference - https://attack.mitre.org/software/S0266/
SeverityMedium
TacticsExecution
Collection
CommandAndControl
TechniquesT1059
T1105
T1203
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Execution/OfficeAppsLaunchingWscript.yaml
Version1.0.0
Arm template174de33b-107b-4cd8-a85d-b4025a35453f.json
Deploy To Azure
DeviceProcessEvents 
| where InitiatingProcessFileName in~ ('winword.exe', 'excel.exe', 'outlook.exe') 
| where FileName =~ "wscript.exe" and ProcessCommandLine has ".jse"
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

tactics:
- Execution
- Collection
- CommandAndControl
query: |
  DeviceProcessEvents 
  | where InitiatingProcessFileName in~ ('winword.exe', 'excel.exe', 'outlook.exe') 
  | where FileName =~ "wscript.exe" and ProcessCommandLine has ".jse"
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
name: Office Apps Launching Wscipt
tags:
- Trickbot
- JSE
- Office Applications
kind: Scheduled
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Execution/OfficeAppsLaunchingWscript.yaml
triggerThreshold: 0
description: |
  This query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated.
  Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command-and-control (C2) operations.
  Trickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using wscript.exe to perform a variety of malicious tasks, particularly reconnaissance.
  The following query detects when Office applications have launched wscript.exe to run a JSE file.
  See Detect rundll.exe being used for reconnaissance and command-and-control for another query related to Trickbot activity.
  Reference - https://attack.mitre.org/software/S0266/  
version: 1.0.0
status: Available
queryFrequency: 1h
severity: Medium
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
- entityType: Process
  fieldMappings:
  - identifier: ProcessId
    columnName: ProcessId
  - identifier: CommandLine
    columnName: ProcessCommandLine
triggerOperator: gt
id: 174de33b-107b-4cd8-a85d-b4025a35453f
relevantTechniques:
- T1059
- T1105
- T1203