← Back to Explore
sigmamediumHunting
Potential Dropper Script Execution Via WScript/CScript
Detects wscript/cscript executions of scripts located in user directories
Detection Query
selection_exec:
Image|endswith:
- \wscript.exe
- \cscript.exe
selection_paths:
CommandLine|contains:
- :\Temp\
- :\Tmp\
- :\Users\Public\
- :\Windows\Temp\
- \AppData\Local\Temp\
selection_ext:
CommandLine|contains:
- .js
- .jse
- .vba
- .vbe
- .vbs
- .wsf
condition: all of selection_*
Author
Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)
Created
2019-01-16
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1059.005attack.t1059.007
Raw Content
title: Potential Dropper Script Execution Via WScript/CScript
id: cea72823-df4d-4567-950c-0b579eaf0846
related:
- id: 1e33157c-53b1-41ad-bbcc-780b80b58288
type: similar
status: test
description: Detects wscript/cscript executions of scripts located in user directories
references:
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://redcanary.com/blog/gootloader/
author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2024-01-30
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_exec:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_paths:
CommandLine|contains:
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
selection_ext:
CommandLine|contains:
- '.js'
- '.jse'
- '.vba'
- '.vbe'
- '.vbs'
- '.wsf'
condition: all of selection_*
falsepositives:
- Some installers might generate a similar behavior. An initial baseline is required
level: medium