WScript or CScript Dropper - File

Oct 17, 2023 · attack.execution attack.t1059.005 attack.t1059.007 ·

Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe

Sigma rule (View on GitHub)

 1title: WScript or CScript Dropper - File
 2id: 002bdb95-0cf1-46a6-9e08-d38c128a6127
 3related:
 4    - id: cea72823-df4d-4567-950c-0b579eaf0846
 5      type: derived
 6status: test
 7description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
 8references:
 9    - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)
10author: Tim Shelton
11date: 2022/01/10
12modified: 2022/12/02
13tags:
14    - attack.execution
15    - attack.t1059.005
16    - attack.t1059.007
17logsource:
18    category: file_event
19    product: windows
20detection:
21    selection:
22        Image|endswith:
23            - '\wscript.exe'
24            - '\cscript.exe'
25        TargetFilename|startswith:
26            - 'C:\Users\'
27            - 'C:\ProgramData'
28        TargetFilename|endswith:
29            - '.jse'
30            - '.vbe'
31            - '.js'
32            - '.vba'
33            - '.vbs'
34    condition: selection
35fields:
36    - Image
37    - TargetFilename
38falsepositives:
39    - Unknown
40level: high

References

WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)

Read More

WScript or CScript Dropper - File

Sigma rule (View on GitHub)

References

WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)

Related rules