Missing Scripting Activity (Mshta, Powershell, and WmiPrvse)

[keithjjones]

Kovter uses mshta and powershell and the monitor seems to be missing those processes in my tests. This sample (can be downloaded from VT) will execute the scripting engines:

15c237f6b74af2588b07912bf18e2734594251787871c9638104e4bf5de46589

The data is not reported in the cuckoo-modified behavior.

For a plot of the scripting engines working for this Kovter sample (PIDs 2028, 2724, and 3028), you can see:

https://keithjjones.github.io/visualize_logs.github.io/gallery/procmoncsv/kovter1_example2.html

[spender-sandbox]

I see one potential problem here, will look into it and see if it's the root cause.

-Brad

[keithjjones]

@spender-sandbox you are awesome. Hopefully in the next week or so I should have a library where you can plot behavior like the example I put above. It just reads the report json and makes the plot. Written as a Python library.

Let me know if there is anything I can do for this issue. I'm using Kovter as an example in my grad school project and was surprised the scripting engines did not show up.

[keithjjones]

@spender-sandbox could it be that the processes aren't started in the tree below the sample so they aren't shown?

[zashraf1337]

Is there any progress on this and / or what needs to be done identified?

[spender-sandbox]

I took a look at it again today, not sure if it's actually running mshta in all cases. In the one case where I saw it run definitively (due to an error in the script) Cuckoo was able to see it fine. There are some other problems though that I've written up fixes for; still want to do some more investigation. In the meantime, you'll probably get better results by disabling sleep skipping and setting no-stealth=1.

-Brad