Script Initiated Connection
Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.
Sigma rule (View on GitHub)
1title: Script Initiated Connection
2id: 08249dc0-a28d-4555-8ba5-9255a198e08c
3status: test
4description: Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
7author: frack113
8date: 2022/08/28
9tags:
10 - attack.command_and_control
11 - attack.t1105
12logsource:
13 category: network_connection
14 product: windows
15detection:
16 selection:
17 Initiated: 'true'
18 Image|endswith:
19 - '\wscript.exe'
20 - '\cscript.exe'
21 condition: selection
22falsepositives:
23 - Legitimate scripts
24level: medium
References
Related rules
- Curl Usage on Linux
- Finger.exe Suspicious Invocation
- Password Protected ZIP File Opened (Suspicious Filenames)
- PrintBrm ZIP Creation of Extraction
- Suspicious Certreq Command to Download