Detectionhightest
Outbound Network Connection Initiated By Script Interpreter
Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, Florian Roth (Nextron Systems)Created Sun Aug 28Updated Wed Mar 13992a6cae-db6a-43c8-9cec-76d7195c96fcwindows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic3 selectors
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
filter_main_ms_ranges:
DestinationIp|cidr: '20.0.0.0/11' # Microsoft range, caused some FPs
condition: selection and not 1 of filter_main_*False Positives
Legitimate scripts
References
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
992a6cae-db6a-43c8-9cec-76d7195c96fc
Status
test
Level
high
Type
Detection
Created
Sun Aug 28
Modified
Wed Mar 13
Path
rules/windows/network_connection/net_connection_win_wscript_cscript_outbound_connection.yml
Raw Tags
attack.command-and-controlattack.t1105