Script Initiated Connection to Non-Local Network

calendar Mar 13, 2024 · attack.command_and_control attack.t1105  ·
Share on: linkedin copy

Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.

Sigma rule (View on GitHub)

 1title: Script Initiated Connection to Non-Local Network
 2id: 992a6cae-db6a-43c8-9cec-76d7195c96fc
 3status: test
 4description: Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
 7author: frack113, Florian Roth (Nextron Systems)
 8date: 2022/08/28
 9modified: 2024/03/13
10tags:
11    - attack.command_and_control
12    - attack.t1105
13logsource:
14    category: network_connection
15    product: windows
16detection:
17    selection:
18        Initiated: 'true'
19        Image|endswith:
20            - '\wscript.exe'
21            - '\cscript.exe'
22    filter_main_local_ranges:
23        DestinationIp|cidr:
24            - '127.0.0.0/8'
25            - '10.0.0.0/8'
26            - '172.16.0.0/12'
27            - '192.168.0.0/16'
28            - '169.254.0.0/16'
29            - '::1/128'  # IPv6 loopback
30            - 'fe80::/10'  # IPv6 link-local addresses
31            - 'fc00::/7'  # IPv6 private addresses
32    filter_main_ms_ranges:
33        DestinationIp|cidr: '20.0.0.0/11' # Microsoft range, caused some FPs
34    condition: selection and not 1 of filter_main_*
35falsepositives:
36    - Legitimate scripts
37level: high

References

Related rules

to-top