-
Notifications
You must be signed in to change notification settings - Fork 375
/
ssa___windows_script_host_spawn_msbuild.yml
57 lines (57 loc) · 2.17 KB
/
ssa___windows_script_host_spawn_msbuild.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
name: Windows Script Host Spawn MSBuild
id: 92886f1c-9b11-11ec-848a-acde48001122
version: 4
date: '2022-03-03'
author: Michael Haag, Splunk
status: production
type: TTP
description: This analytic is to detect a suspicious child process of MSBuild spawned
by Windows Script Host - cscript or wscript. This behavior or event are commonly
seen and used by malware or adversaries to execute malicious msbuild process using
malicious script in the compromised host. During triage, review parallel processes
and identify any file modifications. MSBuild may load a script from the same path
without having command-line arguments.
data_source:
- Windows Security 4688
search:
selection1:
process.file.name: MSBuild.exe
actor.process.file.name|re:
- cscript.exe
- wscript.exe
condition: selection1
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
endpoint product.
known_false_positives: False positives should be limited as developers do not spawn
MSBuild via a WSH.
references:
- https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/#
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1127.001_MSBuild/InvokeMSBuild.ps1
tags:
analytic_story:
- Trusted Developer Utilities Proxy Execution MSBuild
- Living Off The Land
asset_type: Endpoint
confidence: 100
impact: 80
message: An instance of $parent_process_name$ spawning $process_name$ was identified
on endpoint $dest_device_id$ by user $dest_user_id$.
mitre_attack_id:
- T1127.001
- T1127
observable: []
product:
- Splunk Behavioral Analytics
required_fields: []
kill_chain_phases:
- Exploitation
risk_score: 80
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/msbuild-windows-security.log
source: WinEventLog:Security