some software installers or automation scripts may extract and run scripts from archive files in temporary directories. however, it is uncommon for such scripts to initiate outbound network connections immediately upon extraction. this behavior should be considered suspicious and investigated, especially in environments where such scripting is not typical.

Techniques

Sample rules

Cisco NVM - Susp Script From Archive Triggering Network Activity

source: splunk
technicques:
- T1059.005
- T1204.002

Description

This analytic detects script execution (wscript.exe or cscript.exe) triggered from compressed files opened directly using explorer.exe, winrar.exe, or 7zFM.exe. When a user double clicks on a “.js” file from within one of these compressed files. Its extracted temporally in the temp directory in folder with certain markers. It leverages Cisco Network Visibility Module (NVM) flow data, in order to look for a specific parent/child relationship and an initiated network connection. This behavior is exploited by threat actors such as Scarlet Goldfinch to deliver and run malicious scripts as an initial access technique.

Detection logic

`cisco_network_visibility_module_flowdata`
parent_process_name IN ("explorer.exe", "winrar.exe", "7zFM.exe")
process_name IN ("wscript.exe", "cscript.exe")
process_arguments = "*\\AppData\\Local\\Temp\\*"
process_arguments IN ("*\\rar*", "*\\7z*", "*.zip*")

| stats count min(_time) as firstTime max(_time) as lastTime
        values(parent_process_arguments) as parent_process_arguments
        values(process_arguments) as process_arguments
        values(parent_process_hash) as parent_process_hash
        values(process_hash) as process_hash
        values(module_name_list) as module_name_list
        values(module_hash_list) as module_hash_list
        values(dest_port) as dest_port
        values(aliul) as additional_logged_in_users_list
        values(dest_hostname) as dest_hostname
        by src dest parent_process_path parent_process_name parent_process_integrity_level process_path process_name process_integrity_level process_id transport

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| table 
  parent_process_integrity_level parent_process_name parent_process_path parent_process_arguments parent_process_hash
  process_integrity_level process_path process_name process_arguments process_hash process_id
  additional_logged_in_users_list module_name_list module_hash_list
  src dest_hostname dest dest_port transport firstTime lastTime

| `cisco_nvm___susp_script_from_archive_triggering_network_activity_filter`