GatherNetworkInfo.VBS Reconnaissance Script Output
Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events for file system activity including creation, modification, and deletion.
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\config'
TargetFilename|endswith:
- '\Hotfixinfo.txt'
- '\netiostate.txt'
- '\sysportslog.txt'
- '\VmSwitchLog.evtx'
condition: selectionFalse positive likelihood has not been assessed. Additional context may be needed during triage.
Tactics
Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
Detects similar activity. Both rules may fire on overlapping events.
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
Detects similar activity. Both rules may fire on overlapping events.