-
-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Expand file tree
/
Copy pathproc_creation_win_wscript_cscript_script_exec.yml
More file actions
44 lines (44 loc) · 1.31 KB
/
Copy pathproc_creation_win_wscript_cscript_script_exec.yml
File metadata and controls
44 lines (44 loc) · 1.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
title: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
id: 1e33157c-53b1-41ad-bbcc-780b80b58288
related:
- id: 23250293-eed5-4c39-b57a-841c8933a57d
type: obsolete
- id: cea72823-df4d-4567-950c-0b579eaf0846
type: derived
status: test
description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf, .wsh) by Wscript/Cscript.
references:
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://redcanary.com/blog/gootloader/
author: Michael Haag
date: 2019-01-16
modified: 2026-02-17
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName:
- 'wscript.exe'
- 'cscript.exe'
- Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_cli:
CommandLine|contains:
- '.js'
- '.jse'
- '.vba'
- '.vbe'
- '.vbs'
- '.wsf'
- '.wsh'
condition: all of selection_*
falsepositives:
- Some additional tuning is required. It is recommended to add the user profile path in CommandLine if it is getting too noisy.
level: medium