WScript or CScript Dropper - File

Original Source: [Sigma source]
Title: WScript or CScript Dropper - File
Status: test
Description:Detects a file ending in jse, vbe, js, vba, vbs, wsf, wsh written by cscript.exe or wscript.exe
References:
  -WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)
 Author: Tim Shelton
Date: 2022-01-10
modified:2026-02-17
Tags:
  • -'attack.execution'
  • -'attack.t1059.005'
  • -'attack.t1059.007'
Logsource:
  • category: file_event
  • product: windows
Detection:
  selection:
    Image|endswith:
      -'\wscript.exe'
      -'\cscript.exe'

    TargetFilename|contains:
      -':\Perflogs\'
      -':\ProgramData\'
      -':\Temp\'
      -':\Tmp\'
      -':\Users\'
      -':\Windows\Temp\'
      -'\AppData\Local\Temp'
      -'\AppData\Roaming\Temp'
      -'\Start Menu\Programs\Startup\'
      -'\Temporary Internet'

    TargetFilename|endswith:
      -'.js'
      -'.jse'
      -'.vba'
      -'.vbe'
      -'.vbs'
      -'.wsf'
      -'.wsh'

  condition:selection
Falsepositives:
  -Unknown
Level: high

© 2024 DetectionCode Website. All Rights Reserved.