Detectionhightest

WScript or CScript Dropper - File

Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Tim SheltonCreated Mon Jan 10Updated Fri Dec 02002bdb95-0cf1-46a6-9e08-d38c128a6127windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
        TargetFilename|startswith:
            - 'C:\Users\'
            - 'C:\ProgramData'
        TargetFilename|endswith:
            - '.jse'
            - '.vbe'
            - '.js'
            - '.vba'
            - '.vbs'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1059.005 · Visual Basic T1059.007 · JavaScript

Related Rules

DerivedDetectionmedium

Potential Dropper Script Execution Via WScript/CScript

Detects wscript/cscript executions of scripts located in user directories

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

002bdb95-0cf1-46a6-9e08-d38c128a6127

Status

test

Level

high

Type

Detection

Created

Mon Jan 10

Modified

Fri Dec 02

Author

Tim Shelton

Path

rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml

Raw Tags

attack.executionattack.t1059.005attack.t1059.007

View on GitHub