some installers might generate a similar behavior. an initial baseline is required

t1059
t1059.005
t1059.007
windows
sigma

Techniques

t1059
t1059.005
t1059.007

Sample rules

Potential Dropper Script Execution Via WScript/CScript/MSHTA

source: sigma
technicques:
- t1059
- t1059.005
- t1059.007

Description

Detects wscript/cscript/mshta executions of scripts located in user directories

Detection logic

condition: all of selection_*
selection_exec:
  Image|endswith:
  - \wscript.exe
  - \cscript.exe
  - \mshta.exe
selection_ext:
  CommandLine|contains:
  - .hta
  - .js
  - .jse
  - .vba
  - .vbe
  - .vbs
  - .wsf
  - .wsh
selection_paths:
  CommandLine|contains:
  - :\Perflogs\
  - :\Temp\
  - :\Tmp\
  - :\Users\Public\
  - :\Windows\Temp\
  - \AppData\Local\Temp\
  - \AppData\Roaming\Temp\
  - \Start Menu\Programs\Startup\
  - \Temporary Internet
  - \Windows\Temp
  - '%LocalAppData%\Temp\'
  - '%TEMP%'
  - '%TMP%'