← Back to Explore
sigmahighHunting
Potential Manage-bde.wsf Abuse To Proxy Execution
Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution
Detection Query
selection_wscript_img:
- Image|endswith: \wscript.exe
- OriginalFileName: wscript.exe
selection_wscript_cli:
CommandLine|contains: manage-bde.wsf
selection_parent:
ParentImage|endswith:
- \cscript.exe
- \wscript.exe
ParentCommandLine|contains: manage-bde.wsf
selection_filter_cmd:
Image|endswith: \cmd.exe
condition: all of selection_wscript_* or (selection_parent and not selection_filter_cmd)
Author
oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)
Created
2020-10-13
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/
- https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
- https://twitter.com/bohops/status/980659399495741441
- https://twitter.com/JohnLaTwC/status/1223292479270600706
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md
Tags
attack.defense-evasionattack.t1216
Raw Content
title: Potential Manage-bde.wsf Abuse To Proxy Execution
id: c363385c-f75d-4753-a108-c1a8e28bdbda
status: test
description: Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution
references:
- https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/
- https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
- https://twitter.com/bohops/status/980659399495741441
- https://twitter.com/JohnLaTwC/status/1223292479270600706
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md
author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-13
modified: 2023-02-03
tags:
- attack.defense-evasion
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection_wscript_img:
- Image|endswith: '\wscript.exe'
- OriginalFileName: 'wscript.exe'
selection_wscript_cli:
CommandLine|contains: 'manage-bde.wsf'
selection_parent:
ParentImage|endswith:
- '\cscript.exe'
- '\wscript.exe'
ParentCommandLine|contains: 'manage-bde.wsf'
selection_filter_cmd:
Image|endswith: '\cmd.exe'
condition: all of selection_wscript_* or (selection_parent and not selection_filter_cmd)
falsepositives:
- Unlikely
level: high