sigmahighHunting

WScript or CScript Dropper - File

Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe

MITRE ATT&CK

execution

Detection Query

selection:
  Image|endswith:
    - \wscript.exe
    - \cscript.exe
  TargetFilename|startswith:
    - C:\Users\
    - C:\ProgramData
  TargetFilename|endswith:
    - .jse
    - .vbe
    - .js
    - .vba
    - .vbs
condition: selection

Author

Tim Shelton

Created

2022-01-10

Data Sources

windowsFile Events

Platforms

windows

References

WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)

Tags

attack.executionattack.t1059.005attack.t1059.007

Raw Content

title: WScript or CScript Dropper - File
id: 002bdb95-0cf1-46a6-9e08-d38c128a6127
related:
    - id: cea72823-df4d-4567-950c-0b579eaf0846
      type: derived
status: test
description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
references:
    - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)
author: Tim Shelton
date: 2022-01-10
modified: 2022-12-02
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
        TargetFilename|startswith:
            - 'C:\Users\'
            - 'C:\ProgramData'
        TargetFilename|endswith:
            - '.jse'
            - '.vbe'
            - '.js'
            - '.vba'
            - '.vbs'
    condition: selection
falsepositives:
    - Unknown
level: high