Local Network Connection Initiated By Script Interpreter
Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
Sigma rule (View on GitHub)
1title: Local Network Connection Initiated By Script Interpreter
2id: 08249dc0-a28d-4555-8ba5-9255a198e08c
3related:
4 - id: 992a6cae-db6a-43c8-9cec-76d7195c96fc
5 type: derived
6status: test
7description: |
8 Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
9references:
10 - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
11author: frack113
12date: 2022/08/28
13modified: 2024/05/31
14tags:
15 - attack.command_and_control
16 - attack.t1105
17logsource:
18 category: network_connection
19 product: windows
20detection:
21 selection:
22 Initiated: 'true'
23 Image|endswith:
24 - '\wscript.exe'
25 - '\cscript.exe'
26 # Note: This list is added to avoid duplicate alerting with 992a6cae-db6a-43c8-9cec-76d7195c96fc
27 DestinationIp|cidr:
28 - '127.0.0.0/8'
29 - '10.0.0.0/8'
30 - '172.16.0.0/12'
31 - '192.168.0.0/16'
32 - '169.254.0.0/16'
33 - '::1/128' # IPv6 loopback
34 - 'fe80::/10' # IPv6 link-local addresses
35 - 'fc00::/7' # IPv6 private addresses
36 condition: selection
37falsepositives:
38 - Legitimate scripts
39level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
- Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
- Outbound Network Connection Initiated By Script Interpreter
- Potential Download/Upload Activity Using Type Command
- Download File To Potentially Suspicious Directory Via Wget