GatherNetworkInfo.VBS Reconnaissance Script Output
Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
Sigma rule (View on GitHub)
1title: GatherNetworkInfo.VBS Reconnaissance Script Output
2id: f92a6f1e-a512-4a15-9735-da09e78d7273
3related:
4 - id: 575dce0c-8139-4e30-9295-1ee75969f7fe # ProcCreation LOLBIN
5 type: similar
6 - id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp
7 type: similar
8status: test
9description: Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
10references:
11 - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
12 - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023-02-08
15tags:
16 - attack.discovery
17logsource:
18 product: windows
19 category: file_event
20detection:
21 selection:
22 TargetFilename|startswith: 'C:\Windows\System32\config'
23 TargetFilename|endswith:
24 - '\Hotfixinfo.txt'
25 - '\netiostate.txt'
26 - '\sysportslog.txt'
27 - '\VmSwitchLog.evtx'
28 condition: selection
29falsepositives:
30 - Unknown
31level: medium
References
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AD Groups Or Users Enumeration Using PowerShell - PoshModule
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
- AD Privileged Users or Groups Reconnaissance