title: Suspicious Usage of the Manage-bde.wsf Script
id: c363385c-f75d-4753-a108-c1a8e28bdbda
description: Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script
status: experimental
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Manage-bde.yml
    - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
    - https://twitter.com/bohops/status/980659399495741441
    - https://twitter.com/JohnLaTwC/status/1223292479270600706
tags:
    - attack.defense_evasion
    - attack.t1216
date: 2020/10/13
modified: 2021/05/21
author: oscd.community, Natalia Shornikova
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
          - 'cscript'
          - 'manage-bde.wsf'
    condition: selection
falsepositives:
 - Unknown
level: medium