← Library
sigmaDRL-1.1from SigmaHQ/sigma

WScript or CScript Dropper - File

Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe

Quality
88
FP risk
Forks
0
Views
0
ATT&CK techniques
T1059.005T1059.007
Rule sourcerules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml
title: WScript or CScript Dropper - File
id: 002bdb95-0cf1-46a6-9e08-d38c128a6127
related:
    - id: cea72823-df4d-4567-950c-0b579eaf0846
      type: derived
status: test
description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
references:
    - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)
author: Tim Shelton
date: 2022-01-10
modified: 2022-12-02
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
        TargetFilename|startswith:
            - 'C:\Users\'
            - 'C:\ProgramData'
        TargetFilename|endswith:
            - '.jse'
            - '.vbe'
            - '.js'
            - '.vba'
            - '.vbs'
    condition: selection
falsepositives:
    - Unknown
level: high