WSF/JSE/JS/VBA/VBE File Execution

calendarMar 6, 2023 · attack.execution attack.t1059.005 attack.t1059.007  ·
Share on: linkedincopy

Detects suspicious file execution by wscript and cscript

Sigma rule (View on GitHub)

 1title: WSF/JSE/JS/VBA/VBE File Execution
 2id: 1e33157c-53b1-41ad-bbcc-780b80b58288
 3related:
 4    - id: 23250293-eed5-4c39-b57a-841c8933a57d
 5      type: obsoletes
 6status: test
 7description: Detects suspicious file execution by wscript and cscript
 8author: Michael Haag
 9date: 2019/01/16
10modified: 2023/03/02
11tags:
12    - attack.execution
13    - attack.t1059.005
14    - attack.t1059.007
15
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - OriginalFileName:
22            - 'wscript.exe'
23            - 'cscript.exe'
24        - Image|endswith:
25            - '\wscript.exe'
26            - '\cscript.exe'
27    selection_cli:
28        CommandLine|contains:
29            - '.js'
30            - '.jse'
31            - '.vba'
32            - '.vbe'
33            - '.vbs'
34    condition: all of selection_*
35fields:
36    - CommandLine
37    - ParentCommandLine
38falsepositives:
39    - Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.
40level: medium

Related rules

to-top