SigmaHQ/rules/windows/process_creation/win_susp_vbscript_unc2452.yml

title: Suspicious VBScript UN2452 Pattern
id: 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61
description: Detects suspicious inline VBScript keywords as used by UNC2452
status: experimental
references:
    - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth
date: 2021/03/05
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all: 
            - 'Execute'
            - 'CreateObject'
            - 'RegRead'
            - 'window.close'
            - '\Microsoft\Windows\CurrentVersion'
    filter:
        CommandLine|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high