LoFP / inline scripting can be used by some rare third party applications or administrators. investigate and apply additional filters accordingly

Techniques

• t1059

Sample rules

Wscript Shell Run In CommandLine

• source: sigma
• technicques:
  • t1059

Description

Detects the presence of the keywords “Wscript”, “Shell” and “Run” in the command, which could indicate a suspicious activity

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - Wscript.
  - .Shell
  - .Run