Techniques
Sample rules
Local Network Connection Initiated By Script Interpreter
- source: sigma
- technicques:
- t1105
Description
Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
Detection logic
condition: selection
selection:
DestinationIp|cidr:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- ::1/128
- fe80::/10
- fc00::/7
Image|endswith:
- \wscript.exe
- \cscript.exe
Initiated: 'true'
Outbound Network Connection Initiated By Script Interpreter
- source: sigma
- technicques:
- t1105
Description
Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_local_ranges:
DestinationIp|cidr:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- ::1/128
- fe80::/10
- fc00::/7
filter_main_ms_ranges:
DestinationIp|cidr: 20.0.0.0/11
selection:
Image|endswith:
- \wscript.exe
- \cscript.exe
Initiated: 'true'