Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential Register_App.Vbs LOLScript Abuse

Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Austin SongerCreated Fri Nov 05Updated Thu Jul 0728c8f68b-098d-45af-8d43-8089f3e35403windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith:
              - '\cscript.exe'
              - '\wscript.exe'
        - OriginalFileName:
              - 'cscript.exe'
              - 'wscript.exe'
    selection_cli:
        CommandLine|contains: '.vbs -register ' # register_app.vbs
    condition: all of selection*
False Positives

Other VB scripts that leverage the same starting command line flags

References
1
Resolving title…
twitter.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
28c8f68b-098d-45af-8d43-8089f3e35403
Status
test
Level
medium
Type
Detection
Created
Fri Nov 05
Modified
Thu Jul 07
Author
Austin Songer
Path
rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml
Raw Tags
attack.defense-evasionattack.t1218
View on GitHub