![Back to home Valhalla Logo](/static/valhalla-logo.png)
Rule Info
Name
Cscript/Wscript Potentially Suspicious Child Process
Author
Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')
Description
Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.
Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
Reference
Internal Research
Date
2023-05-15 00:00:00
Modified
2024-01-02 00:00:00
Id
b6676963-0353-4f88-90f5-36c20d443c6a
Tags
attack.execution DEMO
Type
Community Rule
Link to Public Repo