Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS

Rule Info

Name
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
Reference
https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
Date
2023-02-08 00:00:00
Modified
None
Id
07aa184a-870d-413d-893a-157f317f6f58
Tags
attack.discovery attack.execution attack.t1615 attack.t1059.005
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=07aa184a-870d-413d-893a-157f317f6f58

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Nasreddine Bencherchali
fix: remove duplicate title
2023-02-08
c060127e6
Nasreddine Bencherchali
feat: updates and enhancements
2023-02-08
071763467
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022