Legitimate applications dropping scripts to disk may indicate adversarial behavior using script-based payloads to execute malicious code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential script-based attacks that bypass traditional defenses.
Detection Rule
title: Legitimate Application Dropped Script
id: 7d604714-e071-49ff-8726-edeb95a70679
status: test
description: Detects programs on a Windows system that should not write scripts to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
- attack.defense-evasion
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- \eqnedt32.exe
- \wordpad.exe
- \wordview.exe
# LOLBINs that can be used to download executables
- \certutil.exe
- \certoc.exe
- \CertReq.exe
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- \Desktopimgdownldr.exe
- \esentutl.exe
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.ps1'
- '.bat'
- '.vbs'
- '.scf'
- '.wsf'
- '.wsh'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where (TargetFilePath endswith "\\eqnedt32.exe" or TargetFilePath endswith "\\wordpad.exe" or TargetFilePath endswith "\\wordview.exe" or TargetFilePath endswith "\\certutil.exe" or TargetFilePath endswith "\\certoc.exe" or TargetFilePath endswith "\\CertReq.exe" or TargetFilePath endswith "\\Desktopimgdownldr.exe" or TargetFilePath endswith "\\esentutl.exe" or TargetFilePath endswith "\\mshta.exe" or TargetFilePath endswith "\\AcroRd32.exe" or TargetFilePath endswith "\\RdrCEF.exe" or TargetFilePath endswith "\\hh.exe" or TargetFilePath endswith "\\finger.exe") and (TargetFileName endswith ".ps1" or TargetFileName endswith ".bat" or TargetFileName endswith ".vbs" or TargetFileName endswith ".scf" or TargetFileName endswith ".wsf" or TargetFileName endswith ".wsh")Scenario: A system administrator is manually running a PowerShell script to troubleshoot an application issue.
Filter/Exclusion: ProcessName == "powershell.exe" && CommandLine contains " -Command"
Scenario: A scheduled task is configured to generate a temporary script for data processing, such as exporting logs to a CSV file.
Filter/Exclusion: ProcessName == "schtasks.exe" || FileName contains "temp_script.ps1"
Scenario: A legitimate application, such as Microsoft SQL Server, writes a script to disk as part of its configuration or backup process.
Filter/Exclusion: ProcessName contains "sqlservr.exe" || FileName contains "sqlbackup_script.sql"
Scenario: A developer is using a code generation tool like Entity Framework to create a C# script file as part of a build process.
Filter/Exclusion: ProcessName contains "dotnet.exe" && FileName contains "EntityFrameworkCore"
Scenario: A system update or patching tool, such as Windows Update or WSUS, temporarily writes a script to disk during installation.
Filter/Exclusion: ProcessName contains "wusa.exe" || FileName contains "update_script.ps1"