Potential Register_App.Vbs LOLScript Abuse
Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
Sigma rule (View on GitHub)
1title: Potential Register_App.Vbs LOLScript Abuse
2id: 28c8f68b-098d-45af-8d43-8089f3e35403
3status: test
4description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
5references:
6 - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20
7 - https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs
8author: Austin Songer @austinsonger
9date: 2021-11-05
10modified: 2022-07-07
11tags:
12 - attack.defense-evasion
13 - attack.t1218
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith:
20 - '\cscript.exe'
21 - '\wscript.exe'
22 - OriginalFileName:
23 - 'cscript.exe'
24 - 'wscript.exe'
25 selection_cli:
26 CommandLine|contains: '.vbs -register ' # register_app.vbs
27 condition: all of selection*
28falsepositives:
29 - Other VB scripts that leverage the same starting command line flags
30level: medium
References
-
This repo contains samples that demonstrate the API used in Windows classic desktop applications. - microsoft/Windows-classic-samples
Read More
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE