Detect Scripting in Sumo Logic CSE
Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. This deprecated technique (now superseded by T1059 Command and Scripting Interpreter) covered adversary use of scripting languages including VBScript, JavaScript, Windows Script Host, batch scripts, and macro-enabled Office documents. Scripts can be used to speed up operations, bypass process monitoring by interacting with the OS at an API level, and enable execution via spearphishing attachments containing malicious macros. Common attack patterns include VBScript/JScript execution via wscript.exe or cscript.exe, malicious Office macros spawning child processes, and batch scripts performing reconnaissance or lateral movement.
MITRE ATT&CK
- Tactic
- Defense Evasion Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1064/
Sumo Detection Query
(_sourceCategory=windows/sysmon OR _sourceCategory=windows/security OR _sourceCategory=WinEventLog)
| where EventCode = 1 OR EventID = 1
| parse regex field=Message "(?:Image|NewProcessName):\\s*(?<ProcessImage>[^\\r\\n]+)" nodrop
| parse regex field=Message "(?:ParentImage|ParentProcessName):\\s*(?<ParentImage>[^\\r\\n]+)" nodrop
| parse regex field=Message "(?:CommandLine|ProcessCommandLine):\\s*(?<CommandLine>[^\\r\\n]+)" nodrop
| parse regex field=Message "ParentCommandLine:\\s*(?<ParentCommandLine>[^\\r\\n]+)" nodrop
| parse regex field=Message "(?:User|SubjectUserName|AccountName):\\s*(?<UserName>[^\\r\\n]+)" nodrop
| eval ProcessName = toLowerCase(replace(ProcessImage, /^.*\\\\/, ""))
| eval ParentProcessName = toLowerCase(replace(ParentImage, /^.*\\\\/, ""))
| eval CommandLineLower = toLowerCase(CommandLine)
// Branch 1: Office macro spawning script interpreters
| eval OfficeMacroSpawn = if(
(ParentProcessName in ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","onenote.exe","access.exe","visio.exe"))
AND (ProcessName in ("wscript.exe","cscript.exe","mshta.exe","cmd.exe","powershell.exe","pwsh.exe","regsvr32.exe","rundll32.exe")),
1, 0)
// Branch 2: Suspicious wscript/cscript arguments
| eval SuspiciousScriptInterp = if(
(ProcessName in ("wscript.exe","cscript.exe"))
AND (
CommandLineLower matches ".*?(invoke-expression|iex\\(|downloadstring|downloadfile|net\\.webclient|createobject|shell\\.application|shellexecute|wscript\\.shell|http:\\/\\/|https:\\/\\/|certutil|bitsadmin).*"
OR CommandLine matches "(?i).*\\.(vbs|vbe|js|jse|wsf|wsh|hta)\\b.*"
),
1, 0)
// Branch 3: MSHTA abuse
| eval MshtaAbuse = if(
ProcessName = "mshta.exe"
AND CommandLineLower matches ".*?(vbscript:|javascript:|http:\\/\\/|https:\\/\\/|\\/\\/|\\\\\\\\).*",
1, 0)
// Branch 4: Cmd.exe obfuscated or Office-spawned
| eval CmdBatchAbuse = if(
ProcessName = "cmd.exe"
AND (
ParentProcessName in ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","onenote.exe","access.exe")
OR (
CommandLineLower matches ".*?(\\^\\^|&&|\\|\\|).*"
AND CommandLineLower matches ".*?(certutil|bitsadmin|powershell|wscript|cscript|http).*"
)
),
1, 0)
| eval TotalScore = OfficeMacroSpawn + SuspiciousScriptInterp + MshtaAbuse + CmdBatchAbuse
| where TotalScore > 0
| eval DetectionType = concat(
if(OfficeMacroSpawn=1, "OfficeMacroSpawn ", ""),
if(SuspiciousScriptInterp=1, "SuspiciousScriptInterp ", ""),
if(MshtaAbuse=1, "MshtaAbuse ", ""),
if(CmdBatchAbuse=1, "CmdBatchAbuse", "")
)
| fields _time, _sourceHost, UserName, ProcessImage, CommandLine, ParentImage, ParentCommandLine, OfficeMacroSpawn, SuspiciousScriptInterp, MshtaAbuse, CmdBatchAbuse, TotalScore, DetectionType
| sort by _time descDetects T1064 scripting abuse in Sumo Logic using Sysmon EventCode 1 or Windows Security EventID 4688 process creation records. Parses image paths and command lines from raw message fields to normalize process names, then evaluates four detection branches: Office application macro spawns of script interpreters, wscript.exe/cscript.exe invoked with download or COM object arguments, mshta.exe loading remote or protocol-handler scripts, and cmd.exe running obfuscated LOLBin chains. Outputs a composite score and concatenated detection type label for triage prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Office-integrated automation tools such as Bloomberg Terminal add-ins, SAP GUI scripting, or custom VBA macros that legitimately invoke cscript.exe or wscript.exe for data export or workflow automation
- Enterprise IT management scripts distributed via Group Policy or SCCM that use cmd.exe with certutil to verify file checksums during controlled software deployments
- Legacy web-based enterprise applications wrapped as .hta files loaded by mshta.exe that reference corporate intranet URLs or use javascript: protocol handlers for navigation
Other platforms for T1064
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VBScript Download Cradle via wscript.exe
Expected signal: Sysmon Event ID 1: Process Create with Image=wscript.exe, CommandLine referencing df00tech_test.vbs. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080 from wscript.exe (connection will fail). Sysmon Event ID 11: File creation of df00tech_test.vbs in %TEMP%.
- Test 2JScript Execution via cscript.exe with Shell Command
Expected signal: Sysmon Event ID 1: Process Create for cscript.exe with CommandLine referencing df00tech_shell.js. Sysmon Event ID 1 (child): cmd.exe spawned by cscript.exe with 'whoami' command. Sysmon Event ID 11: Output file creation in %TEMP%.
- Test 3MSHTA Remote HTA Execution
Expected signal: Sysmon Event ID 1: Process Create with Image=mshta.exe, CommandLine='mshta.exe http://127.0.0.1:8080/df00tech_test.hta'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080 (will fail — no listener). The process creation event fires regardless of connection success.
- Test 4Simulated Office Macro Child Process (cmd.exe spawned from Word context)
Expected signal: Sysmon Event ID 1: powershell.exe process create followed by cmd.exe child process. Security Event ID 4688 (if command line auditing enabled) for both processes. To fully test the OfficeMacroSpawn detection branch, the test would need to originate from a running winword.exe process — this simulation exercises the cmd.exe execution and output paths.
- Test 5VBScript Inline Execution via mshta vbscript: Protocol
Expected signal: Sysmon Event ID 1: Process Create with Image=mshta.exe, CommandLine containing 'vbscript:Execute'. A dialog box will appear briefly — dismiss it. No network connections or file writes are expected for this test variant.
References (11)
- https://attack.mitre.org/techniques/T1064/
- https://attack.mitre.org/techniques/T1059/
- https://www.uperesia.com/analyzing-malicious-office-documents
- https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1064/T1064.md
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
- https://lolbas-project.github.io/lolbas/Binaries/Mshta/
- https://github.com/mandiant/OfficeMalScanner
Unlock Pro Content
Get the full detection package for T1064 including response playbook, investigation guide, and atomic red team tests.