Command and Scripting Interpreter

let ScriptEngines = dynamic(["powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "python.exe", "python3.exe", "perl.exe", "ruby.exe", "lua.exe", "node.exe", "osascript", "bash", "sh", "zsh", "AutoHotkey.exe", "AutoIt3.exe"]);
let SuspiciousParents = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "msaccess.exe", "mspub.exe", "visio.exe", "onenote.exe", "explorer.exe", "wmiprvse.exe", "svchost.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (ScriptEngines)
| where InitiatingProcessFileName has_any (SuspiciousParents)
| extend IsOfficeParent = InitiatingProcessFileName has_any ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe")
| extend IsWMI = InitiatingProcessFileName =~ "wmiprvse.exe"
| extend IsSvchost = InitiatingProcessFileName =~ "svchost.exe"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, IsOfficeParent, IsWMI, IsSvchost
| sort by Timestamp desc

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\cmd.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe" OR Image="*\\python.exe" OR Image="*\\python3.exe" OR Image="*\\node.exe" OR Image="*\\AutoHotkey.exe" OR Image="*\\AutoIt3.exe")
  (ParentImage="*\\winword.exe" OR ParentImage="*\\excel.exe" OR ParentImage="*\\powerpnt.exe" OR ParentImage="*\\outlook.exe" OR ParentImage="*\\wmiprvse.exe" OR ParentImage="*\\svchost.exe" OR ParentImage="*\\explorer.exe")
| eval IsOfficeParent=if(match(ParentImage, "(winword|excel|powerpnt|outlook)\.exe$"), 1, 0)
| eval IsWMI=if(match(ParentImage, "wmiprvse\.exe$"), 1, 0)
| eval IsSvchost=if(match(ParentImage, "svchost\.exe$"), 1, 0)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsOfficeParent, IsWMI, IsSvchost
| sort - _time

process where event.type == "start" and
  process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "python.exe", "python3.exe", "perl.exe", "ruby.exe", "lua.exe", "node.exe", "osascript", "bash", "sh", "zsh", "AutoHotkey.exe", "AutoIt3.exe") and
  process.parent.name in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "msaccess.exe", "mspub.exe", "visio.exe", "onenote.exe", "explorer.exe", "wmiprvse.exe", "svchost.exe")

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS host,
  username,
  "Process Name" AS image,
  "Command" AS commandline,
  "Parent Process Name" AS parent_image,
  CASE
    WHEN LOWER("Parent Process Name") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe') THEN 1
    ELSE 0
  END AS is_office_parent,
  CASE
    WHEN LOWER("Parent Process Name") = 'wmiprvse.exe' THEN 1
    ELSE 0
  END AS is_wmi,
  CASE
    WHEN LOWER("Parent Process Name") = 'svchost.exe' THEN 1
    ELSE 0
  END AS is_svchost
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 261)
  AND QIDNAME(qid) ILIKE '%process%create%'
  AND LOWER("Process Name") IN ('powershell.exe','pwsh.exe','cmd.exe','wscript.exe','cscript.exe','mshta.exe','python.exe','python3.exe','perl.exe','ruby.exe','lua.exe','node.exe','autohotkey.exe','autoit3.exe')
  AND LOWER("Parent Process Name") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe','msaccess.exe','mspub.exe','visio.exe','onenote.exe','explorer.exe','wmiprvse.exe','svchost.exe')
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC

_sourceCategory=windows/sysmon OR _sourceCategory=os/windows/sysmon
| where EventID = "1"
| parse regex field=Image "(?<proc_name>[^\\\\]+)$"
| parse regex field=ParentImage "(?<parent_proc_name>[^\\\\]+)$"
| where toLowerCase(proc_name) in ("powershell.exe","pwsh.exe","cmd.exe","wscript.exe","cscript.exe","mshta.exe","python.exe","python3.exe","perl.exe","ruby.exe","lua.exe","node.exe","autohotkey.exe","autoit3.exe")
| where toLowerCase(parent_proc_name) in ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","msaccess.exe","mspub.exe","visio.exe","onenote.exe","explorer.exe","wmiprvse.exe","svchost.exe")
| if (toLowerCase(parent_proc_name) in ("winword.exe","excel.exe","powerpnt.exe","outlook.exe"), 1, 0) as is_office_parent
| if (toLowerCase(parent_proc_name) = "wmiprvse.exe", 1, 0) as is_wmi
| if (toLowerCase(parent_proc_name) = "svchost.exe", 1, 0) as is_svchost
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, is_office_parent, is_wmi, is_svchost
| sort by _messagetime desc

rule t1059_scripting_interpreter_suspicious_parent {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects command and scripting interpreters spawned by suspicious parent processes including Office apps, WMI, and svchost (MITRE ATT&CK T1059)"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python\.exe|python3\.exe|perl\.exe|ruby\.exe|lua\.exe|node\.exe|AutoHotkey\.exe|AutoIt3\.exe)$/
    $e.principal.process.parent_process.file.full_path = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|msaccess\.exe|mspub\.exe|visio\.exe|onenote\.exe|explorer\.exe|wmiprvse\.exe|svchost\.exe)$/

  condition:
    $e
}

#event_simpleName=ProcessRollup2
| FileName = /(?i)^(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python\.exe|python3\.exe|perl\.exe|ruby\.exe|lua\.exe|node\.exe|AutoHotkey\.exe|AutoIt3\.exe)$/
| ParentBaseFileName = /(?i)^(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|msaccess\.exe|mspub\.exe|visio\.exe|onenote\.exe|explorer\.exe|wmiprvse\.exe|svchost\.exe)$/
| IsOfficeParent := if(ParentBaseFileName = /(?i)(winword|excel|powerpnt|outlook)\.exe/, "true", "false")
| IsWMI := if(ParentBaseFileName = /(?i)wmiprvse\.exe/, "true", "false")
| IsSvchost := if(ParentBaseFileName = /(?i)svchost\.exe/, "true", "false")
| table([_timeparsed, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, IsOfficeParent, IsWMI, IsSvchost])
| sort(field=_timeparsed, order=desc)