Cisco NVM - Susp Script From Archive Triggering Network Activity

This analytic detects script execution (`wscript.exe` or `cscript.exe`) triggered from compressed files opened directly using `explorer.exe`, `winrar.exe`, or `7zFM.exe`. When a user double clicks on a ".js" file from within one of these compressed files. Its extracted temporally in the temp directory in folder with certain markers. It leverages Cisco Network Visibility Module (NVM) flow data, in order to look for a specific parent/child relationship and an initiated network connection. This behavior is exploited by threat actors such as Scarlet Goldfinch to deliver and run malicious scripts as an initial access technique.