Cscript/Wscript Uncommon Script Extension Execution

calendar Jan 29, 2024 · attack.execution attack.t1059.005 attack.t1059.007  ·
Share on: linkedin copy

Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension

Sigma rule (View on GitHub)

 1title: Cscript/Wscript Uncommon Script Extension Execution
 2id: 99b7460d-c9f1-40d7-a316-1f36f61d52ee
 3status: experimental
 4description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
 5references:
 6    - Internal Research
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/05/15
 9modified: 2023/06/19
10tags:
11    - attack.execution
12    - attack.t1059.005
13    - attack.t1059.007
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - OriginalFileName:
20              - 'wscript.exe'
21              - 'cscript.exe'
22        - Image|endswith:
23              - '\wscript.exe'
24              - '\cscript.exe'
25    selection_extension:
26        CommandLine|contains:
27            # Note: add additional potential suspicious extension
28            # We could specify the "//E:" flag to avoid typos by admin. But since that's prone to blind spots via the creation of assoc it's better not to include it
29            - '.csv'
30            - '.dat'
31            - '.doc'
32            - '.gif'
33            - '.jpeg'
34            - '.jpg'
35            - '.png'
36            - '.ppt'
37            - '.txt'
38            - '.xls'
39            - '.xml'
40    condition: all of selection_*
41falsepositives:
42    - Unknown
43level: high

References

Related rules

to-top