WScript/CScript Dropper

rules/windows/sysmon/sysmon_malware_script_dropper.yml

@@ -0,0 +1,25 @@
+title: WScript or CScript Dropper
+status: experimental
+description: Detects wscript/cscript executions of scripts located in user directories
+author: Margaritis Dimitrios (idea), Florian Roth (rule)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        Image:
+            - '*\wscript.exe'
+            - '*\cscript.exe'
+        CommandLine:
+            - '* C:\Users\*.jse *'
+            - '* C:\Users\*.vbe *'
+            - '* C:\Users\*.js *'
+            - '* C:\Users\*.vba *'
+    falsepositive:
+        ParentImage: '*\winzip*'
+    condition: selection
+falsepositives:
+    - Winzip
+    - Other self-extractors
+level: high