SigmaHQ/rules/windows/sysmon/sysmon_susp_script_execution.yml

title: WSF/JSE/JS/VBA/VBE File Execution
status: experimental
description: Detects suspicious file execution by wscript and cscript
author: Michael Haag
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        Image:
            - '*\wscript.exe'
            - '*\cscript.exe'
        CommandLine:
            - '*.jse'
            - '*.vbe'
            - '*.js'
            - '*.vba'
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.
level: medium
Massive Title Cleanup 2018-01-27 09:57:30 +00:00			`title: WSF/JSE/JS/VBA/VBE File Execution`
wscript/cscript WSF, JSE, JS, VBA and VBE file execution 2017-03-04 22:40:34 +00:00			`status: experimental`
Renamed and removed double space 2017-03-16 17:58:32 +00:00			`description: Detects suspicious file execution by wscript and cscript`
wscript/cscript WSF, JSE, JS, VBA and VBE file execution 2017-03-04 22:40:34 +00:00			`author: Michael Haag`
			`logsource:`
Sysmon as 'service' of product 'windows' 2017-03-13 08:23:08 +00:00			`product: windows`
			`service: sysmon`
wscript/cscript WSF, JSE, JS, VBA and VBE file execution 2017-03-04 22:40:34 +00:00			`detection:`
			`selection:`
			`EventID: 1`
			`Image:`
			`- '*\wscript.exe'`
			`- '*\cscript.exe'`
			`CommandLine:`
			`- '*.jse'`
			`- '*.vbe'`
			`- '*.js'`
			`- '*.vba'`
			`condition: selection`
Added field names to first rules 2017-09-12 21:54:04 +00:00			`fields:`
			`- CommandLine`
			`- ParentCommandLine`
wscript/cscript WSF, JSE, JS, VBA and VBE file execution 2017-03-04 22:40:34 +00:00			`falsepositives:`
			`- Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.`
			`level: medium`