Script Initiated Connection to Non-Local Network
Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
Sigma rule (View on GitHub)
1title: Script Initiated Connection to Non-Local Network
2id: 992a6cae-db6a-43c8-9cec-76d7195c96fc
3status: test
4description: Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
7author: frack113, Florian Roth (Nextron Systems)
8date: 2022/08/28
9modified: 2024/03/13
10tags:
11 - attack.command_and_control
12 - attack.t1105
13logsource:
14 category: network_connection
15 product: windows
16detection:
17 selection:
18 Initiated: 'true'
19 Image|endswith:
20 - '\wscript.exe'
21 - '\cscript.exe'
22 filter_main_local_ranges:
23 DestinationIp|cidr:
24 - '127.0.0.0/8'
25 - '10.0.0.0/8'
26 - '172.16.0.0/12'
27 - '192.168.0.0/16'
28 - '169.254.0.0/16'
29 - '::1/128' # IPv6 loopback
30 - 'fe80::/10' # IPv6 link-local addresses
31 - 'fc00::/7' # IPv6 private addresses
32 filter_main_ms_ranges:
33 DestinationIp|cidr: '20.0.0.0/11' # Microsoft range, caused some FPs
34 condition: selection and not 1 of filter_main_*
35falsepositives:
36 - Legitimate scripts
37level: high
References
Related rules
- Curl Download And Execute Combination
- Microsoft Binary Suspicious Communication Endpoint
- Suspicious Desktopimgdownldr Target File
- Suspicious Invoke-WebRequest Execution With DirectIP
- Suspicious Invoke-WebRequest Execution