LoFP / false positives should be limited, but if any are present, filter as needed. in some instances, `cscript.exe` is used for legitimate business practices.

Techniques

• T1003
• T1003.002

Sample rules

Excel Spawning Windows Script Host

• source: splunk
• technicques:
  • T1003.002
  • T1003

Description

The following analytic identifies instances where Microsoft Excel spawns Windows Script Host processes (cscript.exe or wscript.exe). This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is excel.exe. This activity is significant because it is uncommon and often associated with malicious actions, such as spearphishing attacks. If confirmed malicious, this could allow an attacker to execute scripts, potentially leading to code execution, data exfiltration, or further system compromise. Immediate investigation and mitigation are recommended.

Detection logic

| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="excel.exe" Processes.process_name IN ("cscript.exe", "wscript.exe")  by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.user Processes.dest 
| `drop_dm_object_name("Processes")` 
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)` 
| `excel_spawning_windows_script_host_filter`