WScript Spawned from a Browser Making External Network Connections

 1title: WScript Spawned from a Browser Making External Network Connections
 2id: 6d873a6b-2287-494a-a5c8-2dff432cfc09
 3status: experimental
 4description: |
 5    While JavaScript is everywhere on the web, it is rather unusual for the browser to download 
 6    a JavaScript file and execute it via the Windows Script Host (wscript.exe). When this 
 7    downloaded script starts communicating with devices outside of your network, things get even 
 8    more suspicious. That said, this detection analytic may be noisy in some environments, so be 
 9    prepared to identify what scripts are normally run in this way to tune out the noise. Part of 
10    the RedCanary 2024 Threat Detection Report.    
11references:
12    - https://redcanary.com/threat-detection-report/threats/socgholish/
13author: RedCanary, Sigma formatting by Micah Babinski
14date: 2024/03/21
15tags:
16    - attack.initial_access
17    - attack.t1189
18logsource:
19    category: network_connection
20    product: windows
21detection:
22    selection:
23        ParentImage|endswith:
24            - '\brave.exe'
25            - '\chrome.exe'
26            - '\msedge.exe'
27            - '\opera.exe'
28            - '\vivaldi.exe'
29        Image|endswith: '\wscript.exe'
30    filter_local_ips: # optional, if you want to remove results where the destination IP is a private or local address
31        DestinationIp|cidr:
32            - '127.0.0.0/8'
33            - '10.0.0.0/8'
34            - '172.16.0.0/12'
35            - '192.168.0.0/16'
36            - '169.254.0.0/16'
37            - '::1/128'  # IPv6 loopback
38            - 'fe80::/10'  # IPv6 link-local addresses
39            - 'fc00::/7'  # IPv6 private addresses
40    condition: selection and not filter_local_ips
41falsepositives:
42    - Unknown
43level: low```