← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potential Register_App.Vbs LOLScript Abuse

Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.

Quality
72
FP risk
Forks
0
Views
0
ATT&CK techniques
T1218
Rule sourcerules/windows/process_creation/proc_creation_win_lolscript_register_app.yml
title: Potential Register_App.Vbs LOLScript Abuse
id: 28c8f68b-098d-45af-8d43-8089f3e35403
status: test
description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
references:
    - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20
    - https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs
author: Austin Songer @austinsonger
date: 2021-11-05
modified: 2022-07-07
tags:
    - attack.defense-evasion
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\cscript.exe'
              - '\wscript.exe'
        - OriginalFileName:
              - 'cscript.exe'
              - 'wscript.exe'
    selection_cli:
        CommandLine|contains: '.vbs -register ' # register_app.vbs
    condition: all of selection*
falsepositives:
    - Other VB scripts that leverage the same starting command line flags
level: medium