Suspicious JScript staging comment

Hunt Hypothesis

Attackers may be using JScript staging techniques with identifiable comments to establish persistence or execute payloads in the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential post-compromise activity and mitigate further lateral movement or data exfiltration.

KQL Query

DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "VMBlastSG"

Analytic Rule Definition

id: 8495c33d-0048-447f-b1e5-27fa5e7f7417
name: Suspicious JScript staging comment
description: |
  Microsoft has observed attackers who have gained entry to an environment via the Log4J vulnerability utilizing identifiable strings in PowerShell commands.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Execution
- Vulnerability
query: |
  DeviceProcessEvents
  | where FileName =~ "powershell.exe"
  | where ProcessCommandLine has "VMBlastSG"

Required Data Sources

MITRE ATT&CK Context

• Tactic: Execution
• Tactic: Vulnerability

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Log4J/Suspicious JScript staging comment.yaml)

False Positive Guidance

• Scenario: Legitimate scheduled job using PowerShell for system maintenance
  Filter/Exclusion: ProcessName == "schtasks.exe" && CommandLine contains "schtasks /run"
  Rationale: Scheduled tasks are common in enterprise environments and may execute PowerShell scripts for routine maintenance.

• Scenario: Microsoft Endpoint Configuration Manager (MECM) deployment script
  Filter/Exclusion: ProcessName == "msiexec.exe" && CommandLine contains "msiexec /i"
  Rationale: MECM often uses PowerShell scripts for software deployment, which may include staging comments similar to malicious payloads.

• Scenario: Admin using PowerShell for log analysis with JScript comments
  Filter/Exclusion: ProcessName == "powershell.exe" && User == "Domain\Administrator" && CommandLine contains "Get-EventLog"
  Rationale: Administrators may use JScript-style comments in PowerShell scripts for log analysis or debugging, which can trigger the rule.

• Scenario: Legitimate use of Invoke-Expression for script execution
  Filter/Exclusion: CommandLine contains "Invoke-Expression" && CommandLine contains "Get-ChildItem"
  Rationale: Invoke-Expression is a common cmdlet used for executing dynamic script content, often in legitimate administrative tasks.

• Scenario: Microsoft Defender ATP rule update or policy configuration
  Filter/Exclusion: ProcessName == "msiexec.exe" && CommandLine contains "Microsoft Defender ATP"
  Rationale: Microsoft Defender ATP may use PowerShell scripts for rule updates or policy configuration, which can include staging comments.