Detectionmediumtest
Local Network Connection Initiated By Script Interpreter
Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic1 selector
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
# Note: This list is added to avoid duplicate alerting with 992a6cae-db6a-43c8-9cec-76d7195c96fc
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selectionFalse Positives
Legitimate scripts
References
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
08249dc0-a28d-4555-8ba5-9255a198e08c
Status
test
Level
medium
Type
Detection
Created
Sun Aug 28
Modified
Fri May 31
Author
Path
rules/windows/network_connection/net_connection_win_wscript_cscript_local_connection.yml
Raw Tags
attack.command-and-controlattack.t1105