LoFP LoFP / legitimate administrative scripts

Techniques

Sample rules

Proxy Execution via Vshadow

Description

Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits. VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag, attackers can leverage this parameter to proxy the execution of malware.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains: -exec
selection_img:
- Image|endswith: \vshadow.exe
- OriginalFileName: vshadow.exe

Suspicious Scripting in a WMI Consumer

Description

Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers

Detection logic

condition: selection_destination
selection_destination:
- Destination|contains|all:
  - new-object
  - net.webclient
  - .downloadstring
- Destination|contains|all:
  - new-object
  - net.webclient
  - .downloadfile
- Destination|contains:
  - ' iex('
  - ' -nop '
  - ' -noprofile '
  - ' -decode '
  - ' -enc '
  - WScript.Shell
  - System.Security.Cryptography.FromBase64Transform