Query Details

WScript to VBS file invoking PowerShell

Wscript Vbs Spawning Suspicious Processes

Query

DeviceProcessEvents
// Define the time you are interested to look into
| where TimeGenerated > ago(1d)
| where InitiatingProcessParentFileName contains @"wscript.exe"
// Command line includes VBS file execution
| where InitiatingProcessCommandLine contains ".vbs"
// Invoking PowerShell or Command Line
| where InitiatingProcessFileName has_any (@"powershell.exe", @"pwsh.exe", @"powershell_ise.exe", @"cmd.exe")
// Define elements that should be available in the results
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName

About this query

Explanation

This query is used to detect a GULOADER payload delivered through a .vbs file that invokes PowerShell to gain access to a device. It filters for events where the initiating process is wscript.exe, the command line includes the execution of a .vbs file, and the initiating process is either powershell.exe, pwsh.exe, powershell_ise.exe, or cmd.exe. The query then projects specific elements from the results such as the timestamp, device name, account name, initiating process file name, initiating process command line, and initiating process parent file name. The query is used in both Microsoft 365 Defender and Microsoft Sentinel environments. It is also mapped to the MITRE ATT&CK technique T1059.001 - Command and Scripting Interpreter: PowerShell.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: August 14, 2023

Tables

DeviceProcessEvents

Keywords

DevicesIntuneUser

Operators

|>ago()containshas_any()whereproject

MITRE Techniques

Actions

GitHub