Windows Scripting Host Executing JScript Files with MS-DOS Short Names (RedCanary Threat Detection Report)
Detects Windows scripting host executing JavaScript files with MS-DOS shortname formatting, a technique associated with Gootloader. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Windows Scripting Host Executing JScript Files with MS-DOS Short Names (RedCanary Threat Detection Report)
2id: 1aa0b866-727e-480f-9694-6bd694e2855d
3status: experimental
4description: Detects Windows scripting host executing JavaScript files with MS-DOS shortname formatting, a technique associated with Gootloader. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/threats/gootloader/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.defense_evasion
11 - attack.t1036
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\cscript.exe'
18 CommandLine|contains: '~1.js'
19 condition: selection
20falsepositives:
21 - Unknown
22level: low```
References
-
A common entry point for Cobalt Strike into enterprises, Gootloader made significant changes to its execution flow in 2022.
Read More
Related rules
- Potential Homoglyph Attack Using Lookalike Characters
- Suspicious CodePage Switch Via CHCP
- Process Creation With Double File Extension
- Suspicious Command Line Containing Right-to-Left Override
- Bumblebee WmiPrvSE execution pattern