Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
Sigma rule (View on GitHub)
1title: Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
2id: 575dce0c-8139-4e30-9295-1ee75969f7fe
3related:
4 - id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate
5 type: similar
6 - id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp
7 type: similar
8status: test
9description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
10references:
11 - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
12 - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
13author: blueteamer8699
14date: 2022-01-03
15modified: 2023-02-08
16tags:
17 - attack.discovery
18 - attack.execution
19 - attack.t1615
20 - attack.t1059.005
21logsource:
22 category: process_creation
23 product: windows
24detection:
25 selection_img:
26 - Image|endswith:
27 - '\cscript.exe'
28 - '\wscript.exe'
29 - OriginalFileName:
30 - 'cscript.exe'
31 - 'wscript.exe'
32 selection_cli:
33 CommandLine|contains: 'gatherNetworkInfo.vbs'
34 condition: all of selection_*
35falsepositives:
36 - Administrative activity
37level: medium
References
-
-
Based on forensic analysis of the ISO file, Mandiant identified that the compromised tasks were both edited as follows: C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement P...
Read More
Related rules
- Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- Adwind RAT / JRAT
- Adwind RAT / JRAT File Artifact