sigmaDRL-1.1from SigmaHQ/sigma

Outbound Network Connection Initiated By Script Interpreter

Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1105

Rule sourcerules/windows/network_connection/net_connection_win_wscript_cscript_outbound_connection.yml

title: Outbound Network Connection Initiated By Script Interpreter
id: 992a6cae-db6a-43c8-9cec-76d7195c96fc
related:
    - id: 08249dc0-a28d-4555-8ba5-9255a198e08c
      type: derived
status: test
description: Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-28
modified: 2024-03-13
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    filter_main_ms_ranges:
        DestinationIp|cidr: '20.0.0.0/11' # Microsoft range, caused some FPs
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate scripts
level: high