Wscript Shell Run In CommandLine

Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity

Sigma rule (View on GitHub)

 1title: Wscript Shell Run In CommandLine
 2id: 2c28c248-7f50-417a-9186-a85b223010ee
 3status: test
 4description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
 5references:
 6    - https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html
 7    - https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-08-31
10modified: 2023-05-15
11tags:
12    - attack.execution
13    - attack.t1059
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        CommandLine|contains|all:
20            - 'Wscript.'
21            - '.Shell'
22            - '.Run'
23    condition: selection
24falsepositives:
25    - Inline scripting can be used by some rare third party applications or administrators. Investigate and apply additional filters accordingly
26level: medium

References

Related rules

to-top