title: WMIExec VBS Script
author: Florian Roth
date: 2017/04/07
description: Detects suspicious file execution by wscript and cscript
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\cscript.exe'
  SELECTION_3:
    CommandLine: '*.vbs*'
  SELECTION_4:
    CommandLine: '*/shell*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unlikely
fields:
- CommandLine
- ParentCommandLine
id: 966e4016-627f-44f7-8341-f394905c361f
level: critical
logsource:
  category: process_creation
  product: windows
references:
- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
status: experimental
tags:
- attack.execution
- attack.g0045
- attack.t1064
- attack.t1059.005