Rule: Cloud Hopper WmiExec VBS

rules/apt/apt_cloudhopper.yml

@@ -0,0 +1,16 @@
+title: Detects an Execution of WMIExec VBS Script
+description: Detects suspicious file execution by wscript and cscript
+author: Florian Roth
+reference: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        Image: '*\cscript.exe'
+        CommandLine: '*.vbs /shell *'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: critical