WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

calendar Oct 28, 2023 · attack.execution attack.t1059.005 attack.t1059.007  ·
Share on: linkedin copy

Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript

Sigma rule (View on GitHub)

 1title: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
 2id: 1e33157c-53b1-41ad-bbcc-780b80b58288
 3related:
 4    - id: 23250293-eed5-4c39-b57a-841c8933a57d
 5      type: obsoletes
 6status: test
 7description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript
 8author: Michael Haag
 9date: 2019/01/16
10modified: 2023/05/15
11tags:
12    - attack.execution
13    - attack.t1059.005
14    - attack.t1059.007
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - OriginalFileName:
21              - 'wscript.exe'
22              - 'cscript.exe'
23        - Image|endswith:
24              - '\wscript.exe'
25              - '\cscript.exe'
26    selection_cli:
27        CommandLine|contains:
28            - '.js'
29            - '.jse'
30            - '.vba'
31            - '.vbe'
32            - '.vbs'
33            - '.wsf'
34    condition: all of selection_*
35falsepositives:
36    - Some additional tuning is required. It is recommended to add the user profile path in CommandLine if it is getting too noisy.
37level: medium

Related rules

to-top