Techniques
Sample rules
Potential Register_App.Vbs LOLScript Abuse
- source: sigma
- technicques:
- t1218
Description
Detects potential abuse of the “register_app.vbs” script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
Detection logic
condition: all of selection*
selection_cli:
CommandLine|contains: '.vbs -register '
selection_img:
- Image|endswith:
- \cscript.exe
- \wscript.exe
- OriginalFileName:
- cscript.exe
- wscript.exe