Wscript Shell Run In CommandLine
Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
Sigma rule (View on GitHub)
1title: Wscript Shell Run In CommandLine
2id: 2c28c248-7f50-417a-9186-a85b223010ee
3status: test
4description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
5references:
6 - https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html
7 - https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/08/31
10modified: 2023/05/15
11tags:
12 - attack.execution
13 - attack.t1059
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 CommandLine|contains|all:
20 - 'Wscript.'
21 - '.Shell'
22 - '.Run'
23 condition: selection
24falsepositives:
25 - Inline scripting can be used by some rare third party applications or administrators. Investigate and apply additional filters accordingly
26level: medium
References
-
-
* Cisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims. * The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other
Read More
Related rules
- Bypassing Security Controls - Command Shell
- In-memory Downloading and Compiling of Applets as Payloads
- Mac AppleScript Input Prompt
- Obfuscated Commands - Command Shell
- Obfuscation and Escape Characters - Powershell