title: WMIExec VBS Script id: 966e4016-627f-44f7-8341-f394905c361f description: Detects suspicious file execution by wscript and cscript author: Florian Roth date: 2017/04/07 references: - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf tags: - attack.execution - attack.g0045 - attack.t1064 # an old one - attack.t1059.005 logsource: category: process_creation product: windows detection: selection: Image|endswith: '\cscript.exe' CommandLine|contains: '.vbs /shell ' condition: selection fields: - CommandLine - ParentCommandLine falsepositives: - Unlikely level: critical