← Back to Explore
sigmamediumHunting
Potential Register_App.Vbs LOLScript Abuse
Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
Detection Query
selection_img:
- Image|endswith:
- \cscript.exe
- \wscript.exe
- OriginalFileName:
- cscript.exe
- wscript.exe
selection_cli:
CommandLine|contains: ".vbs -register "
condition: all of selection*
Author
Austin Songer @austinsonger
Created
2021-11-05
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218
Raw Content
title: Potential Register_App.Vbs LOLScript Abuse
id: 28c8f68b-098d-45af-8d43-8089f3e35403
status: test
description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
references:
- https://twitter.com/sblmsrsn/status/1456613494783160325?s=20
- https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs
author: Austin Songer @austinsonger
date: 2021-11-05
modified: 2022-07-07
tags:
- attack.defense-evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\cscript.exe'
- '\wscript.exe'
- OriginalFileName:
- 'cscript.exe'
- 'wscript.exe'
selection_cli:
CommandLine|contains: '.vbs -register ' # register_app.vbs
condition: all of selection*
falsepositives:
- Other VB scripts that leverage the same starting command line flags
level: medium