WScript Spawned from a Browser Making External Network Connections

While JavaScript is everywhere on the web, it is rather unusual for the browser to download a JavaScript file and execute it via the Windows Script Host (wscript.exe). When this downloaded script starts communicating with devices outside of your network, things get even more suspicious. That said, this detection analytic may be noisy in some environments, so be prepared to identify what scripts are normally run in this way to tune out the noise. Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: WScript Spawned from a Browser Making External Network Connections
 2id: 6d873a6b-2287-494a-a5c8-2dff432cfc09
 3status: experimental
 4description: |
 5    While JavaScript is everywhere on the web, it is rather unusual for the browser to download 
 6    a JavaScript file and execute it via the Windows Script Host (wscript.exe). When this 
 7    downloaded script starts communicating with devices outside of your network, things get even 
 8    more suspicious. That said, this detection analytic may be noisy in some environments, so be 
 9    prepared to identify what scripts are normally run in this way to tune out the noise. Part of 
10    the RedCanary 2024 Threat Detection Report.    
11references:
12    - https://redcanary.com/threat-detection-report/threats/socgholish/
13author: RedCanary, Sigma formatting by Micah Babinski
14date: 2024/03/21
15tags:
16    - attack.initial_access
17    - attack.t1189
18logsource:
19    category: network_connection
20    product: windows
21detection:
22    selection:
23        ParentImage|endswith:
24            - '\brave.exe'
25            - '\chrome.exe'
26            - '\msedge.exe'
27            - '\opera.exe'
28            - '\vivaldi.exe'
29        Image|endswith: '\wscript.exe'
30    filter_local_ips: # optional, if you want to remove results where the destination IP is a private or local address
31        DestinationIp|cidr:
32            - '127.0.0.0/8'
33            - '10.0.0.0/8'
34            - '172.16.0.0/12'
35            - '192.168.0.0/16'
36            - '169.254.0.0/16'
37            - '::1/128'  # IPv6 loopback
38            - 'fe80::/10'  # IPv6 link-local addresses
39            - 'fc00::/7'  # IPv6 private addresses
40    condition: selection and not filter_local_ips
41falsepositives:
42    - Unknown
43level: low```

References

Related rules

to-top