title: WScript or CScript Dropper id: cea72823-df4d-4567-950c-0b579eaf0846 status: experimental description: Detects wscript/cscript executions of scripts located in user directories author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community date: 2019/01/16 modified: 2020/09/01 tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - attack.defense_evasion # an old one - attack.t1064 # an old one detection: selection1: Image|endswith: - '\wscript.exe' - '\cscript.exe' CommandLine|contains: - 'C:\Users\' - 'C:\ProgramData\' selection2: CommandLine|contains: - '.jse' - '.vbe' - '.js' - '.vba' - '.vbs' falsepositive: ParentImage|contains: '\winzip' condition: selection1 and selection2 and not falsepositive fields: - CommandLine - ParentCommandLine falsepositives: - Winzip - Other self-extractors level: high