[Tuning / New] Execution of a downloaded windows script

rules/windows/defense_evasion_posh_assembly_load.toml

@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2024/10/28"
+updated_date = "2025/01/31"
 
 [transform]
 [[transform.osquery]]
@@ -132,7 +132,9 @@ query = '''
 event.category:process and host.os.type:windows and
   powershell.file.script_block_text : (
     "[System.Reflection.Assembly]::Load" or
-    "[Reflection.Assembly]::Load"
+    "[Reflection.Assembly]::Load" or
+    "Assembly.Load(" or
+    "System.Reflection"
   ) and
   not powershell.file.script_block_text : (
         ("CommonWorkflowParameters" or "RelatedLinksHelpInfo") and

rules/windows/execution_powershell_susp_args_via_winscript.toml

@@ -4,12 +4,12 @@ integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2025/01/15"
+updated_date = "2025/01/31"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies suspicious PowerShell execution spawning from Windows Script Host processes (cscript or wscript.exe).
+Identifies PowerShell or Cmd.exe execution spawning from Windows Script Host processes wscript.exe.
 """
 from = "now-9m"
 index = [
@@ -22,7 +22,7 @@ index = [
 ]
 language = "eql"
 license = "Elastic License v2"
-name = "Suspicious PowerShell Execution via Windows Scripts"
+name = "Command and Scripting Interpreter via Windows Scripts"
 risk_score = 73
 rule_id = "2d62889e-e758-4c5e-b57e-c735914ee32a"
 severity = "high"
@@ -42,62 +42,8 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.action == "start" and
-  process.name : ("powershell.exe", "pwsh.exe") and
-  process.parent.name : ("wscript.exe", "cscript.exe", "mshta.exe") and
-   (
-   process.args_count == 1 or
-   process.command_line :
-             ("*^*^*^*^*^*^*^*^*^*",
-              "*''*''*''*",
-              "*`*`*`*`*",
-              "*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*",
-              "*+*+*+*+*+*",
-              "*$*$*$*$*",
-              "*[char[]](*)*-join",
-              "*Base64String*",
-              "*[*Convert]*",
-              "*.Text.Encoding*",
-              "*.Compression.*",
-              "*.replace(*",
-              "*MemoryStream*",
-              "*WriteAllBytes*",
-              "* -en* *",
-              "* -ec *",
-              "* -e *",
-              "* -ep *",
-              "* /e *",
-              "* /en* *",
-              "* /ec *",
-              "* /ep *",
-              "*WebClient*",
-              "*DownloadFile*",
-              "*DownloadString*",
-              "*BitsTransfer*",
-              "*Invoke-Exp*",
-              "*invoke-web*",
-              "*iex*",
-              "*iwr*",
-              "*Reflection.Assembly*",
-              "*Assembly.GetType*",
-              "*.Sockets.*",
-              "*Add-MpPreference*ExclusionPath*",
-              "*raw.githubusercontent*")
-   ) and
-
-   /* many legit powershell commands uses those non shortened execution flags excluding Sync-AppvPublishingServer lolbas */
-   not (process.args : ("-EncodedCommand", "Import-Module*", "-NonInteractive") and
-        process.args : "-ExecutionPolicy" and not process.args : "Sync-AppvPublishingServer") and
-
-   /* third party installation related FPs */
-   not ?process.parent.args : "?:\\Windows\\system32\\gatherNetworkInfo.vbs" and
-   not (?process.parent.args : "Microsoft.SystemCenter.ICMPProbe.WithConsecutiveSamples.vbs" and process.args : "Get-SCOMAgent") and
-   not (process.command_line : "*WEBLOGIC_ARGS_CURRENT_1.DATA*" and ?process.parent.command_line : "*Impact360*") and
-   not process.args :  "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers;*" and
-   not process.command_line : ("*.Access.IdentityReference*win32_SID.SID*", "*AGIAbQB4AC0AYQBwAC4AcwAzAC4AdQBzAC0AZQBhAHMAd*") and
-   not (?process.parent.args : "?:\\Users\\Prestige\\AppData\\Local\\Temp\\Rar$*\\KMS_VL_ALL_AIO.cmd  -elevated" and process.command_line : "*KMS_VL_ALL_AIO.cmd*") and
-   not process.args : "iwr https://*.s3.us-east-1.amazonaws.com/scripts/Start-SpeedTest.ps1 -UserAgent * -UseBasicParsing | invoke-expression" and
-   not (process.parent.name : "wscript.exe" and
-        ?process.parent.args : "C:\\Program Files (x86)\\Telivy\\Telivy Agent\\telivy.js")
+  process.name : ("powershell.exe", "pwsh.exe", "cmd.exe") and
+  process.parent.name : ("wscript.exe", "mshta.exe") and ?process.parent.args : "?:\\Users\\*"
 '''
 note = """## Triage and analysis
 
@@ -146,6 +92,11 @@ id = "T1059.001"
 name = "PowerShell"
 reference = "https://attack.mitre.org/techniques/T1059/001/"
 
+[[rule.threat.technique.subtechnique]]
+id = "T1059.003"
+name = "Windows Command Shell"
+reference = "https://attack.mitre.org/techniques/T1059/003/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1059.005"
 name = "Visual Basic"

rules/windows/execution_windows_script_from_internet.toml

@@ -0,0 +1,86 @@
+[metadata]
+creation_date = "2025/01/31"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "Mark of The Web enrichment was added to Elastic Defend file events in 8.15.0."
+min_stack_version = "8.15.0"
+updated_date = "2025/01/31"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the creation of a Windows script downloaded from the internet followed by the execution of a scripting utility.
+Adversaries may use Windows script files for initial access and execution.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Execution of a downloaded windows script"
+risk_score = 47
+rule_id = "79543b00-28a5-4461-81ac-644c4dc4012f"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Data Source: Elastic Defend"
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+sequence by host.id, user.name with maxspan=3m
+[file where host.os.type == "windows" and event.action == "creation" and user.id != "S-1-5-18" and
+  process.name : ("chrome.exe", "msedge.exe", "brave.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "explorer.exe", "winrar.exe", "7zFM.exe", "7zG.exe", "Bandizip.exe") and
+  file.Ext.windows.zone_identifier == 3 and
+  file.extension in~ ("js", "jse", "vbs", "vbe", "wsh", "hta") and
+  (file.origin_url != null or file.origin_referrer_url != null) and file.path : "?:\\Users\\*"]
+[process where host.os.type == "windows" and event.type == "start" and
+ process.parent.name : "explorer.exe" and process.name in~ ("wscript.exe", "mshta.exe") and process.args_count >= 2]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1059.005"
+name = "Visual Basic"
+reference = "https://attack.mitre.org/techniques/T1059/005/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1059.007"
+name = "JavaScript"
+reference = "https://attack.mitre.org/techniques/T1059/007/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1218"
+name = "System Binary Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1218/"
+[[rule.threat.technique.subtechnique]]
+id = "T1218.005"
+name = "Mshta"
+reference = "https://attack.mitre.org/techniques/T1218/005/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+