Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
Sigma rule (View on GitHub)
1title: Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
2id: 575dce0c-8139-4e30-9295-1ee75969f7fe
3related:
4 - id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate
5 type: similar
6 - id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp
7 type: similar
8status: test
9description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
10references:
11 - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
12 - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
13author: blueteamer8699
14date: 2022/01/03
15modified: 2023/02/08
16tags:
17 - attack.discovery
18 - attack.execution
19 - attack.t1615
20 - attack.t1059.005
21logsource:
22 category: process_creation
23 product: windows
24detection:
25 selection_img:
26 - Image|endswith:
27 - '\cscript.exe'
28 - '\wscript.exe'
29 - OriginalFileName:
30 - 'cscript.exe'
31 - 'wscript.exe'
32 selection_cli:
33 CommandLine|contains: 'gatherNetworkInfo.vbs'
34 condition: all of selection_*
35falsepositives:
36 - Administrative activity
37level: medium
References
-
-
Executive Summary Mandiant identified an operation focused on the Ukrainian government via trojanized Windows 10 Operating System installers. These were distributed via torrent sites in a supply ch...
Read More
Related rules
- Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
- Adwind RAT / JRAT
- Adwind RAT / JRAT File Artifact
- HackTool - Bloodhound/Sharphound Execution
- Potential Baby Shark Malware Activity