Potential Manage-bde.wsf Abuse To Proxy Execution

calendar Feb 4, 2023 · attack.defense_evasion attack.t1216  ·
Share on: linkedin copy

Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution

Sigma rule (View on GitHub)

 1title: Potential Manage-bde.wsf Abuse To Proxy Execution
 2id: c363385c-f75d-4753-a108-c1a8e28bdbda
 3status: test
 4description: Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution
 5references:
 6    - https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/
 7    - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
 8    - https://twitter.com/bohops/status/980659399495741441
 9    - https://twitter.com/JohnLaTwC/status/1223292479270600706
10    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md
11author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)
12date: 2020/10/13
13modified: 2023/02/03
14tags:
15    - attack.defense_evasion
16    - attack.t1216
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_wscript_img:
22        - Image|endswith: '\wscript.exe'
23        - OriginalFileName: 'wscript.exe'
24    selection_wscript_cli:
25        CommandLine|contains: 'manage-bde.wsf'
26    selection_parent:
27        ParentImage|endswith:
28            - '\cscript.exe'
29            - '\wscript.exe'
30        ParentCommandLine|contains: 'manage-bde.wsf'
31    selection_filter_cmd:
32        Image|endswith: '\cmd.exe'
33    condition: all of selection_wscript_* or (selection_parent and not selection_filter_cmd)
34falsepositives:
35    - Unlikely
36level: high

References

Related rules

to-top