Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
Sigma rule (View on GitHub)
1title: Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
2id: 07aa184a-870d-413d-893a-157f317f6f58
3related:
4 - id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate
5 type: similar
6 - id: 575dce0c-8139-4e30-9295-1ee75969f7fe # ProcCreation LOLBIN
7 type: similar
8status: test
9description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
10references:
11 - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
12 - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023/02/08
15tags:
16 - attack.discovery
17 - attack.execution
18 - attack.t1615
19 - attack.t1059.005
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection:
25 CommandLine|contains: 'gatherNetworkInfo.vbs'
26 filter:
27 Image|endswith:
28 - '\cscript.exe'
29 - '\wscript.exe'
30 condition: selection and not filter
31falsepositives:
32 - Unknown
33level: high
References
-
-
Executive Summary Mandiant identified an operation focused on the Ukrainian government via trojanized Windows 10 Operating System installers. These were distributed via torrent sites in a supply ch...
Read More
Related rules
- Hacktool Ruler
- Wscript.exe Executing Agreement Javascript in AppData Folder
- File Was Not Allowed To Run
- Renamed FTP.EXE Execution
- Remote PowerShell Sessions Network Connections (WinRM)