Local Network Connection Initiated By Script Interpreter

calendar Aug 12, 2024 · attack.command-and-control attack.t1105  ·
Share on: linkedin copy

Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.

Sigma rule (View on GitHub)

 1title: Local Network Connection Initiated By Script Interpreter
 2id: 08249dc0-a28d-4555-8ba5-9255a198e08c
 3related:
 4    - id: 992a6cae-db6a-43c8-9cec-76d7195c96fc
 5      type: derived
 6status: test
 7description: |
 8        Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
 9references:
10    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
11author: frack113
12date: 2022-08-28
13modified: 2024-05-31
14tags:
15    - attack.command-and-control
16    - attack.t1105
17logsource:
18    category: network_connection
19    product: windows
20detection:
21    selection:
22        Initiated: 'true'
23        Image|endswith:
24            - '\wscript.exe'
25            - '\cscript.exe'
26        # Note: This list is added to avoid duplicate alerting with 992a6cae-db6a-43c8-9cec-76d7195c96fc
27        DestinationIp|cidr:
28            - '127.0.0.0/8'
29            - '10.0.0.0/8'
30            - '172.16.0.0/12'
31            - '192.168.0.0/16'
32            - '169.254.0.0/16'
33            - '::1/128'  # IPv6 loopback
34            - 'fe80::/10'  # IPv6 link-local addresses
35            - 'fc00::/7'  # IPv6 private addresses
36    condition: selection
37falsepositives:
38    - Legitimate scripts
39level: medium

References

Related rules

to-top