Cscript/Wscript Potentially Suspicious Child Process

Rule Info

Name
Cscript/Wscript Potentially Suspicious Child Process
Author
Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')
Description
Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
Reference
Internal Research
Date
2023-05-15 00:00:00
Modified
2024-01-02 00:00:00
Id
b6676963-0353-4f88-90f5-36c20d443c6a
Tags
attack.execution DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=b6676963-0353-4f88-90f5-36c20d443c6a

Rule History

Author
Title
Date
Commit
ahouspan
Merge PR #4650 from @ahouspan - Process Creation Cmdline Matches Patterns Observed in Pikabot Infections
2024-01-10
ff4dee3c5
Nasreddine Bencherchali
feat: multiple updates and new rules (#4242)
2023-05-17
62caac470
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022