← Back to Explore
sigmahighHunting
Outbound Network Connection Initiated By Script Interpreter
Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
Detection Query
selection:
Initiated: "true"
Image|endswith:
- \wscript.exe
- \cscript.exe
filter_main_local_ranges:
DestinationIp|cidr:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- ::1/128
- fe80::/10
- fc00::/7
filter_main_ms_ranges:
DestinationIp|cidr: 20.0.0.0/11
condition: selection and not 1 of filter_main_*
Author
frack113, Florian Roth (Nextron Systems)
Created
2022-08-28
Data Sources
windowsNetwork Connection Events
Platforms
windows
Tags
attack.command-and-controlattack.t1105
Raw Content
title: Outbound Network Connection Initiated By Script Interpreter
id: 992a6cae-db6a-43c8-9cec-76d7195c96fc
related:
- id: 08249dc0-a28d-4555-8ba5-9255a198e08c
type: derived
status: test
description: Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-28
modified: 2024-03-13
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
filter_main_ms_ranges:
DestinationIp|cidr: '20.0.0.0/11' # Microsoft range, caused some FPs
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate scripts
level: high