SigmaHQ/rules/windows/process_creation/win_apt_cloudhopper.yml

27 lines
663 B
YAML
Raw Normal View History

2018-01-27 09:57:30 +00:00
title: WMIExec VBS Script
2019-11-12 22:12:27 +00:00
id: 966e4016-627f-44f7-8341-f394905c361f
2017-04-07 15:41:53 +00:00
description: Detects suspicious file execution by wscript and cscript
author: Florian Roth
date: 2017/04/07
references:
- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
2018-07-25 07:50:01 +00:00
tags:
- attack.execution
- attack.g0045
- attack.t1064 # an old one
2020-06-16 20:46:08 +00:00
- attack.t1059.005
2017-04-07 15:41:53 +00:00
logsource:
2019-03-02 18:05:15 +00:00
category: process_creation
2017-04-07 15:41:53 +00:00
product: windows
detection:
selection:
2020-10-15 20:27:27 +00:00
Image|endswith: '\cscript.exe'
CommandLine|contains: '.vbs /shell '
2017-04-07 15:41:53 +00:00
condition: selection
2017-09-12 21:54:04 +00:00
fields:
- CommandLine
- ParentCommandLine
2017-04-07 15:41:53 +00:00
falsepositives:
- Unlikely
level: critical