LoFP LoFP / legitimate vbscript

Techniques

Sample rules

New BgInfo.EXE Custom VBScript Registry Configuration

Description

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via “BgInfo.exe”

Detection logic

condition: selection
selection:
  Details|startswith: '4'
  EventType: SetValue
  TargetObject|contains: \Software\Winternals\BGInfo\UserFields\