detection.wiki

Detection rules › Sigma

Script Interpreter Execution From Suspicious Folder

Status
test
Severity
high
Log source
product windows, category process_creation
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects suspicious script execution from suspicious directories or folders accessible by environment variables that may indicate malware activity. Script interpreters (cscript, wscript, mshta, powershell) executing from folders like Temp, Public, or user profile directories may suggest attempts to evade detection or execute malicious scripts.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059 Command and Scripting Interpreter

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation

Rule body yaml

title: Script Interpreter Execution From Suspicious Folder
id: 1228c958-e64e-4e71-92ad-7d429f4138ba
status: test
description: |
    Detects suspicious script execution from suspicious directories or folders accessible by environment variables that may indicate malware activity.
    Script interpreters (cscript, wscript, mshta, powershell) executing from folders like Temp, Public, or user profile directories may suggest attempts to evade detection or execute malicious scripts.
references:
    - https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military
    - https://learn.microsoft.com/en-us/windows/win32/shell/csidl
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-08
modified: 2026-02-17
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_proc_image:
        Image|endswith:
            - '\cscript.exe'
            - '\mshta.exe'
            - '\wscript.exe'
    selection_proc_flags:
        CommandLine|contains:
            - ' -ep bypass '
            - ' -ExecutionPolicy bypass '
            - ' -w hidden '
            - '/e:javascript '
            - '/e:Jscript '
            - '/e:vbscript '
    selection_proc_original:
        OriginalFileName:
            - 'cscript.exe'
            - 'mshta.exe'
            - 'wscript.exe'
    selection_folders_1:
        CommandLine|contains:
            - ':\Perflogs\'
            - ':\Users\Public\'
            - '\%Public%'
            - '\AppData\Local\Temp'
            - '\AppData\Roaming\Temp'
            - '\Temporary Internet'
            - '\Windows\Temp'
            - '\Start Menu\Programs\Startup\'
            - '%TEMP%'
            - '%TMP%'
            - '%LocalAppData%\Temp'
    selection_folders_2:
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Documents\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Music\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Pictures\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Videos\'
    filter_optional_chocolatey_installer:
        ParentImage:
            - 'C:\Windows\System32\Msiexec.exe'
            - 'C:\Windows\SysWOW64\Msiexec.exe'
        Image|endswith: '\powershell.exe'
        CommandLine|contains|all:
            - '-NoProfile -ExecutionPolicy Bypass -Command'
            - 'AppData\Local\Temp\'
            - 'Install-Chocolatey.ps1'
    condition: 1 of selection_proc_* and 1 of selection_folders_* and not 1 of filter_optional_*
falsepositives:
    - Various legitimate software have been observed to use similar techniques for installation or update purposes;thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
level: high

Stages and Predicates

Stage 0: condition

1 of selection_proc_* and 1 of selection_folders_* and not 1 of filter_optional_*

Stage 1: selection_proc_image

selection_proc_image:
    Image|endswith:
        - '\cscript.exe'
        - '\mshta.exe'
        - '\wscript.exe'

Stage 2: selection_proc_flags

selection_proc_flags:
    CommandLine|contains:
        - ' -ep bypass '
        - ' -ExecutionPolicy bypass '
        - ' -w hidden '
        - '/e:javascript '
        - '/e:Jscript '
        - '/e:vbscript '

Stage 3: selection_proc_original

selection_proc_original:
    OriginalFileName:
        - 'cscript.exe'
        - 'mshta.exe'
        - 'wscript.exe'

Stage 4: selection_folders_1

selection_folders_1:
    CommandLine|contains:
        - ':\Perflogs\'
        - ':\Users\Public\'
        - '\%Public%'
        - '\AppData\Local\Temp'
        - '\AppData\Roaming\Temp'
        - '\Temporary Internet'
        - '\Windows\Temp'
        - '\Start Menu\Programs\Startup\'
        - '%TEMP%'
        - '%TMP%'
        - '%LocalAppData%\Temp'

Stage 5: selection_folders_2

selection_folders_2:
    - CommandLine|contains|all:
          - ':\Users\'
          - '\Favorites\'
    - CommandLine|contains|all:
          - ':\Users\'
          - '\Favourites\'
    - CommandLine|contains|all:
          - ':\Users\'
          - '\Contacts\'
    - CommandLine|contains|all:
          - ':\Users\'
          - '\Documents\'
    - CommandLine|contains|all:
          - ':\Users\'
          - '\Music\'
    - CommandLine|contains|all:
          - ':\Users\'
          - '\Pictures\'
    - CommandLine|contains|all:
          - ':\Users\'
          - '\Videos\'

Stage 6: not filter_optional_chocolatey_installer

filter_optional_chocolatey_installer:
    ParentImage:
        - 'C:\Windows\System32\Msiexec.exe'
        - 'C:\Windows\SysWOW64\Msiexec.exe'
    Image|endswith: '\powershell.exe'
    CommandLine|contains|all:
        - '-NoProfile -ExecutionPolicy Bypass -Command'
        - 'AppData\Local\Temp\'
        - 'Install-Chocolatey.ps1'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

FieldKindExcluded values
ParentImageeqC:\Windows\SysWOW64\Msiexec.exe
ParentImageeqC:\Windows\System32\Msiexec.exe
CommandLinematch-NoProfile -ExecutionPolicy Bypass -Command
CommandLinematchAppData\Local\Temp\
CommandLinematchInstall-Chocolatey.ps1
Imageends_with\powershell.exe

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • -ExecutionPolicy bypass
  • -ep bypass
  • -w hidden corpus 5 (sigma 5)
  • %LocalAppData%\Temp corpus 2 (sigma 2)
  • %TEMP% corpus 16 (sigma 13, chronicle 2, kusto 1)
  • %TMP% corpus 15 (sigma 13, chronicle 2)
  • /e:Jscript
  • /e:javascript
  • /e:vbscript
  • :\Perflogs\ corpus 11 (sigma 11)
  • :\Users\ corpus 6 (sigma 6)
  • :\Users\Public\ corpus 18 (sigma 18)
  • \%Public%
  • \AppData\Local\Temp corpus 8 (sigma 8)
  • \AppData\Roaming\Temp corpus 2 (sigma 2)
  • \Contacts\ corpus 6 (sigma 6)
  • \Documents\ corpus 2 (sigma 2)
  • \Favorites\ corpus 6 (sigma 6)
  • \Favourites\ corpus 6 (sigma 6)
  • \Music\ corpus 3 (sigma 3)
  • \Pictures\ corpus 4 (sigma 4)
  • \Start Menu\Programs\Startup\ corpus 3 (sigma 3)
  • \Temporary Internet corpus 7 (sigma 7)
  • \Videos\ corpus 3 (sigma 3)
  • \Windows\Temp corpus 3 (sigma 3)
Imageends_with
  • \cscript.exe corpus 73 (sigma 73)
  • \mshta.exe corpus 67 (sigma 67)
  • \wscript.exe corpus 75 (sigma 75)
OriginalFileNameeq
  • cscript.exe corpus 19 (sigma 17, elastic 2)
  • mshta.exe corpus 22 (sigma 13, splunk 6, elastic 3)
  • wscript.exe corpus 20 (sigma 17, elastic 3)