title: WScript or CScript Dropper
status: experimental
description: Detects wscript/cscript executions of scripts located in user directories
author: Margaritis Dimitrios (idea), Florian Roth (rule)
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        Image:
            - '*\wscript.exe'
            - '*\cscript.exe'
        CommandLine:
            - '* C:\Users\\*.jse *'
            - '* C:\Users\\*.vbe *'
            - '* C:\Users\\*.js *'
            - '* C:\Users\\*.vba *'
            - '* C:\Users\\*.vbs *'
            - '* C:\ProgramData\\*.jse *'
            - '* C:\ProgramData\\*.vbe *'
            - '* C:\ProgramData\\*.js *'
            - '* C:\ProgramData\\*.vba *'
            - '* C:\ProgramData\\*.vbs *'
    falsepositive:
        ParentImage: '*\winzip*'
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Winzip
    - Other self-extractors
level: high