Suspicious Runscripthelper.exe
Detects execution of powershell scripts via Runscripthelper.exe
Sigma rule (View on GitHub)
1title: Suspicious Runscripthelper.exe
2id: eca49c87-8a75-4f13-9c73-a5a29e845f03
3status: test
4description: Detects execution of powershell scripts via Runscripthelper.exe
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/
7author: Victor Sergeev, oscd.community
8date: 2020-10-09
9modified: 2022-07-11
10tags:
11 - attack.execution
12 - attack.t1059
13 - attack.defense-evasion
14 - attack.t1202
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\Runscripthelper.exe'
21 CommandLine|contains: 'surfacecheck'
22 condition: selection
23fields:
24 - CommandLine
25falsepositives:
26 - Unknown
27level: medium
References
Related rules
- Potential Arbitrary Command Execution Via FTP.EXE
- Renamed FTP.EXE Execution
- Renamed NirCmd.EXE Execution
- Add Insecure Download Source To Winget
- Add New Download Source To Winget