From f77cdcfb3581ceeb4f284d594dafe50c7096bb1d Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Wed, 9 Sep 2020 17:21:00 -0400 Subject: [PATCH 1/2] .jse related techniques --- Delivery/detect-jscript-file-creation.md | 46 +++++++++++++++++++++++ Execution/jse-launched-by-word.md | 48 ++++++++++++++++++++++++ 2 files changed, 94 insertions(+) create mode 100644 Delivery/detect-jscript-file-creation.md create mode 100644 Execution/jse-launched-by-word.md diff --git a/Delivery/detect-jscript-file-creation.md b/Delivery/detect-jscript-file-creation.md new file mode 100644 index 00000000..5232cff1 --- /dev/null +++ b/Delivery/detect-jscript-file-creation.md @@ -0,0 +1,46 @@ +# Detect .jse file creation events + +This query was originally published in the threat analytics report, *Emulation-evading JavaScripts*. + +Attackers in several ransomware campaigns have employed heavily obfuscated JavaScript code, in order to implant malware or execute malicious commands. The obfuscation is intended to help the code evade security systems and potentially escape sandbox environments. + +The following query detects the creation of files with a *.jse* extension. Certain ransomware campaigns, such as [Emotet](https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/), are known to employ encrypted JavaScript code that is saved to the target as *.jse* files. + +See [Detect potentially malicious .jse launch by File Explorer or Word](../Execution/jse-launched-by-word.md) for a similar technique. + +## Query + +```Kusto +​// Creation of any .jse file, including legitimate and malicious ones +DeviceFileEvents +| where Timestamp > ago(7d) +| where FileName endswith ".jse" +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | v | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | v | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## See also + +## Contributor info + +**Contributor:** Microsoft Threat Protection team diff --git a/Execution/jse-launched-by-word.md b/Execution/jse-launched-by-word.md new file mode 100644 index 00000000..dd356a0e --- /dev/null +++ b/Execution/jse-launched-by-word.md @@ -0,0 +1,48 @@ +# Detect potentially malicious .jse launch by File Explorer or Word + +This query was originally published in the threat analytics report, *Emulation-evading JavaScripts*. + +Attackers in several ransomware campaigns have employed heavily obfuscated JavaScript code, in order to implant malware or execute malicious commands. The obfuscation is intended to help the code evade security systems and potentially escape sandbox environments. + +The following query detects when Word or File Explorer have launched files with a *.jse* extension. Attackers involved in various [human-operated campaigns](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) have been known to embed a heavily obfuscated JavaScript file in malicious Word docs. The loader is used to download and install the banking trojan, Trickbot. + +See [Detect .jse file creation events](../Delivery/detect-jscript-file-creation.md) for a similar technique. + +## Query + +```Kusto +// Find potentially malicious .jse launch by File Explorer or Word +DeviceProcessEvents +| where Timestamp > ago(7d) +| where InitiatingProcessFileName in~ ("explorer.exe","winword.exe") +and FileName =~ "wscript.exe" +and ProcessCommandLine contains ".jse" +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | v | | +| Execution | v | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | v | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## See also + +## Contributor info + +**Contributor:** Microsoft Threat Protection team From a333ae1ebd995ce84d7791233e7d745a454e8cd9 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Thu, 10 Sep 2020 14:54:17 -0400 Subject: [PATCH 2/2] rm'd empty section --- Delivery/detect-jscript-file-creation.md | 2 -- Execution/jse-launched-by-word.md | 2 -- 2 files changed, 4 deletions(-) diff --git a/Delivery/detect-jscript-file-creation.md b/Delivery/detect-jscript-file-creation.md index 5232cff1..0a172e64 100644 --- a/Delivery/detect-jscript-file-creation.md +++ b/Delivery/detect-jscript-file-creation.md @@ -39,8 +39,6 @@ This query can be used to detect the following attack techniques and tactics ([s | Misconfiguration | | | | Malware, component | | | -## See also - ## Contributor info **Contributor:** Microsoft Threat Protection team diff --git a/Execution/jse-launched-by-word.md b/Execution/jse-launched-by-word.md index dd356a0e..ed298707 100644 --- a/Execution/jse-launched-by-word.md +++ b/Execution/jse-launched-by-word.md @@ -41,8 +41,6 @@ This query can be used to detect the following attack techniques and tactics ([s | Misconfiguration | | | | Malware, component | | | -## See also - ## Contributor info **Contributor:** Microsoft Threat Protection team