From 06e3ce353bb80e34dab81fbc8accab77435e44cb Mon Sep 17 00:00:00 2001
From: Josh <joshnck@gmail.com>
Date: Fri, 6 Sep 2024 05:39:17 -0400
Subject: [PATCH] Merge PR #4998 from @joshnck - Add `DNS Request From Windows
 Script Host`

new: DNS Request From Windows Script Host

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 ...s_query_win_wscript_cscript_resolution.yml | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 rules-placeholder/windows/dns_query/dns_query_win_wscript_cscript_resolution.yml

diff --git a/rules-placeholder/windows/dns_query/dns_query_win_wscript_cscript_resolution.yml b/rules-placeholder/windows/dns_query/dns_query_win_wscript_cscript_resolution.yml
new file mode 100644
index 000000000..3123561fc
--- /dev/null
+++ b/rules-placeholder/windows/dns_query/dns_query_win_wscript_cscript_resolution.yml
@@ -0,0 +1,42 @@
+title: DNS Request From Windows Script Host
+id: 12310575-e8b1-475c-a976-57ed540b349c
+status: experimental
+description: |
+    Detects unusual domain resolutions originating from CScript/WScript that can identify malicious javascript files executing in an environment, often as a result from a phishing or watering hole attack.
+author: Josh Nickels, Marius Rothenbücher
+references:
+    - Internal Research
+date: 2024-09-06
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    product: windows
+    category: dns_query
+detection:
+    selection:
+        Image|endswith:
+            - '\wscript.exe'
+            - '\cscript.exe'
+        QueryName|contains: '.' # Ensures that lookups are for external hosts
+    filter_main_internal_domains: # Populate this placeholder with known and expected internal domains
+        QueryName|expand: '%internal_domains%'
+    filter_optional_trusted_domains: # Mostly certificate distribution domains
+        - QueryName:
+              - 'crl.starfieldtech.com'
+              - 'ocsp.usertrust.com'
+              - 'officecdn.microsoft.com'
+              - 'oneocsp.microsoft.com'
+              - 'oscp.comodoca.com'
+              - 'oscp.sectigo.com'
+              - 'oscp.starfieldtech.com'
+              - 'www.python.org'
+        - QueryName|endswith:
+              - '.digicert.com'
+              - '.entrust.net'
+              - '.globalsign.net'
+              - '.verisign.com'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+falsepositives:
+    - Script files making expected domain requests
+level: low