Techniques
Sample rules
Use of Scriptrunner.exe
- source: sigma
- technicques:
- t1218
Description
The “ScriptRunner.exe” binary can be abused to proxy execution through it and bypass possible whitelisting
Detection logic
condition: all of selection*
selection_cli:
CommandLine|contains: ' -appvscript '
selection_img:
- Image|endswith: \ScriptRunner.exe
- OriginalFileName: ScriptRunner.exe