WScript or CScript Dropper - File

Title: WScript or CScript Dropper - File
Status: test
Description:Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
References:
  -WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)
Author: Tim Shelton
Date: 2022-01-10
modified:2022-12-02
Tags:

• -'attack.execution'
• -'attack.t1059.005'
• -'attack.t1059.007'

Logsource:

• category: file_event
• product: windows

Detection:
  selection:
    Image|endswith:
      -'\wscript.exe'
      -'\cscript.exe'

    TargetFilename|startswith:
      -'C:\Users\'
      -'C:\ProgramData'

    TargetFilename|endswith:
      -'.jse'
      -'.vbe'
      -'.js'
      -'.vba'
      -'.vbs'

  condition:selection
Falsepositives:
  -Unknown
Level: high