GatherNetworkInfo.VBS Reconnaissance Script Output

 1title: GatherNetworkInfo.VBS Reconnaissance Script Output
 2id: f92a6f1e-a512-4a15-9735-da09e78d7273
 3related:
 4    - id: 575dce0c-8139-4e30-9295-1ee75969f7fe # ProcCreation LOLBIN
 5      type: similar
 6    - id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp
 7      type: similar
 8status: test
 9description: Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
10references:
11    - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
12    - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023/02/08
15tags:
16    - attack.discovery
17logsource:
18    product: windows
19    category: file_event
20detection:
21    selection:
22        TargetFilename|startswith: 'C:\Windows\System32\config'
23        TargetFilename|endswith:
24            - '\Hotfixinfo.txt'
25            - '\netiostate.txt'
26            - '\sysportslog.txt'
27            - '\VmSwitchLog.evtx'
28    condition: selection
29falsepositives:
30    - Unknown
31level: medium

References

• Living off the land

  

  lolbins guide

  
  Read More

• Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government | Mandiant

  

  Executive Summary Mandiant identified an operation focused on the Ukrainian government via trojanized Windows 10 Operating System installers. These were distributed via torrent sites in a supply ch...

  
  Read More

Related rules

• Network Reconnaissance Activity
• Bitbucket User Details Export Attempt Detected
• Suspicious Group And Account Reconnaissance Activity Using Net.EXE
• AdFind Discovery
• Invoke-ShareFinder Discovery Activity