Execute Script with spoofed extension

calendar May 3, 2021  ยท
Share on: linkedin copy

Execute Script with spoofed extension

Sigma rule (View on GitHub)

 1title: Execute Script with spoofed extension
 2status: experimental
 3description: Execute Script with spoofed extension
 4author: Joe Security
 5date: 2020-12-04
 6id: 200092
 7threatname:
 8behaviorgroup: 1
 9classification: 8
10mitreattack:
11
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        CommandLine:
18            - '*/e:jscript*\\*.txt*'
19            - '*/e:jscript*\\*.pdf*'
20            - '*/e:jscript*\\*.htm*'
21            - '*/e:jscript*\\*.png*'
22            - '*/e:jscript*\\*.jpeg*'
23            - '*/e:jscript*\\*.jpg*'              
24    condition: selection
25level: critical
to-top