Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Office Apps Launching Wscipt

Office Apps Launching Wscipt

Back
Id174de33b-107b-4cd8-a85d-b4025a35453f
RulenameOffice Apps Launching Wscipt
DescriptionThis query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated.

Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command-and-control (C2) operations.

Trickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using wscript.exe to perform a variety of malicious tasks, particularly reconnaissance.

The following query detects when Office applications have launched wscript.exe to run a JSE file.

See Detect rundll.exe being used for reconnaissance and command-and-control for another query related to Trickbot activity.

Reference - https://attack.mitre.org/software/S0266/
SeverityMedium
TacticsExecution
Collection
CommandAndControl
TechniquesT1059
T1105
T1203
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Execution/OfficeAppsLaunchingWscript.yaml
Version1.0.0
Arm template174de33b-107b-4cd8-a85d-b4025a35453f.json
Deploy To Azure
DeviceProcessEvents 
| where InitiatingProcessFileName in~ ('winword.exe', 'excel.exe', 'outlook.exe') 
| where FileName =~ "wscript.exe" and ProcessCommandLine has ".jse"
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

status: Available
queryFrequency: 1h
id: 174de33b-107b-4cd8-a85d-b4025a35453f
tactics:
- Execution
- Collection
- CommandAndControl
entityMappings:
- fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
  entityType: Host
- fieldMappings:
  - columnName: ProcessId
    identifier: ProcessId
  - columnName: ProcessCommandLine
    identifier: CommandLine
  entityType: Process
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Execution/OfficeAppsLaunchingWscript.yaml
version: 1.0.0
tags:
- Trickbot
- JSE
- Office Applications
description: |
  This query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated.
  Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command-and-control (C2) operations.
  Trickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using wscript.exe to perform a variety of malicious tasks, particularly reconnaissance.
  The following query detects when Office applications have launched wscript.exe to run a JSE file.
  See Detect rundll.exe being used for reconnaissance and command-and-control for another query related to Trickbot activity.
  Reference - https://attack.mitre.org/software/S0266/  
relevantTechniques:
- T1059
- T1105
- T1203
triggerThreshold: 0
queryPeriod: 1h
triggerOperator: gt
name: Office Apps Launching Wscipt
severity: Medium
kind: Scheduled
query: |
  DeviceProcessEvents 
  | where InitiatingProcessFileName in~ ('winword.exe', 'excel.exe', 'outlook.exe') 
  | where FileName =~ "wscript.exe" and ProcessCommandLine has ".jse"
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")