Wscript.exe Executing Agreement Javascript in AppData Folder

 1title: Wscript.exe Executing Agreement Javascript in AppData Folder
 2id: c9677b37-50f0-44d3-b8f8-24b5b5eed570
 3status: experimental
 4description: Detects potential stage 1 Gootloader javascript execution.
 5references:
 6    - https://redcanary.com/blog/gootloader/
 7    - https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader
 8author: Micah Babinski
 9date: 2022/11/07
10tags:
11    - attack.execution
12    - attack.t1059
13    - attack.t1059.005
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image|endswith: '\wscript.exe'
20        CommandLine|contains|all:
21            - '\appdata\'
22            - 'agreement'
23        CommandLine|endswith: '.js'
24    condition: selection
25falsepositives:
26    - Unknown
27level: high```

References

• The Goot cause: Detecting Gootloader and its follow-on activity

  

  Gootloader is a pervasive threat affecting enterprise organizations. This blog includes malware analysis and detection opportunities.

  
  Read More

• GootLoader, From SEO Poisoning to Multi-Stage Downloader

  

  GootLoader initially rose to notoriety as the sophisticated multi-staged downloader of GootKit malware. Over the years, this dropper has become more advanced, and it has diversified its payload capabilities beyond just delivering its namesake malware.

  
  Read More

Related rules

• Suspicious Powershell Cmdlets
• Suspicious WMI-Related Powershell Cmdlets
• File Was Not Allowed To Run
• PCRE.NET Package Temp Files
• Base64 Encoding in CMD or Powershell