LoFP LoFP / some installers might generate a similar behavior. an initial baseline is required

Techniques

Sample rules

Potential Dropper Script Execution Via WScript/CScript

Description

Detects wscript/cscript executions of scripts located in user directories

Detection logic

condition: all of selection_*
selection_exec:
  Image|endswith:
  - \wscript.exe
  - \cscript.exe
selection_ext:
  CommandLine|contains:
  - .js
  - .jse
  - .vba
  - .vbe
  - .vbs
  - .wsf
selection_paths:
  CommandLine|contains:
  - :\Temp\
  - :\Tmp\
  - :\Users\Public\
  - :\Windows\Temp\
  - \AppData\Local\Temp\