WScript or CScript Dropper - File
Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
Sigma rule (View on GitHub)
1title: WScript or CScript Dropper - File
2id: 002bdb95-0cf1-46a6-9e08-d38c128a6127
3related:
4 - id: cea72823-df4d-4567-950c-0b579eaf0846
5 type: derived
6status: test
7description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
8references:
9 - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)
10author: Tim Shelton
11date: 2022-01-10
12modified: 2022-12-02
13tags:
14 - attack.execution
15 - attack.t1059.005
16 - attack.t1059.007
17logsource:
18 category: file_event
19 product: windows
20detection:
21 selection:
22 Image|endswith:
23 - '\wscript.exe'
24 - '\cscript.exe'
25 TargetFilename|startswith:
26 - 'C:\Users\'
27 - 'C:\ProgramData'
28 TargetFilename|endswith:
29 - '.jse'
30 - '.vbe'
31 - '.js'
32 - '.vba'
33 - '.vbs'
34 condition: selection
35fields:
36 - Image
37 - TargetFilename
38falsepositives:
39 - Unknown
40level: high
References
Related rules
- Adwind RAT / JRAT
- Adwind RAT / JRAT File Artifact
- Csc.EXE Execution Form Potentially Suspicious Parent
- Cscript/Wscript Uncommon Script Extension Execution
- File Was Not Allowed To Run