Techniques
Sample rules
Script Interpreter Execution From Suspicious Folder
- source: sigma
- technicques:
- t1059
Description
Detects suspicious script execution from suspicious directories or folders accessible by environment variables that may indicate malware activity. Script interpreters (cscript, wscript, mshta, powershell) executing from folders like Temp, Public, or user profile directories may suggest attempts to evade detection or execute malicious scripts.
Detection logic
condition: 1 of selection_proc_* and 1 of selection_folders_* and not 1 of filter_optional_*
filter_optional_chocolatey_installer:
CommandLine|contains|all:
- -NoProfile -ExecutionPolicy Bypass -Command
- AppData\Local\Temp\
- Install-Chocolatey.ps1
Image|endswith: \powershell.exe
ParentImage:
- C:\Windows\System32\Msiexec.exe
- C:\Windows\SysWOW64\Msiexec.exe
selection_folders_1:
CommandLine|contains:
- :\Perflogs\
- :\Users\Public\
- \%Public%
- \AppData\Local\Temp
- \AppData\Roaming\Temp
- \Temporary Internet
- \Windows\Temp
- \Start Menu\Programs\Startup\
- '%TEMP%'
- '%TMP%'
- '%LocalAppData%\Temp'
selection_folders_2:
- CommandLine|contains|all:
- :\Users\
- \Favorites\
- CommandLine|contains|all:
- :\Users\
- \Favourites\
- CommandLine|contains|all:
- :\Users\
- \Contacts\
- CommandLine|contains|all:
- :\Users\
- \Documents\
- CommandLine|contains|all:
- :\Users\
- \Music\
- CommandLine|contains|all:
- :\Users\
- \Pictures\
- CommandLine|contains|all:
- :\Users\
- \Videos\
selection_proc_flags:
CommandLine|contains:
- ' -ep bypass '
- ' -ExecutionPolicy bypass '
- ' -w hidden '
- '/e:javascript '
- '/e:Jscript '
- '/e:vbscript '
selection_proc_image:
Image|endswith:
- \cscript.exe
- \mshta.exe
- \wscript.exe
selection_proc_original:
OriginalFileName:
- cscript.exe
- mshta.exe
- wscript.exe