34 lines
1.0 KiB
YAML
34 lines
1.0 KiB
YAML
|
|
title: Suspicious Usage of the Manage-bde.wsf Script
|
|
ruletype: Sigma
|
|
author: oscd.community, Natalia Shornikova
|
|
date: 2020/10/13
|
|
description: Detects a usage of the manage-bde.wsf script that may indicate an attempt
|
|
of proxy execution from script
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
CommandLine: '*cscript*'
|
|
SELECTION_3:
|
|
CommandLine: '*manage-bde.wsf*'
|
|
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
|
|
falsepositives:
|
|
- Unknown
|
|
id: c363385c-f75d-4753-a108-c1a8e28bdbda
|
|
level: medium
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
modified: 2021/05/21
|
|
references:
|
|
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Manage-bde.yml
|
|
- https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
|
|
- https://twitter.com/bohops/status/980659399495741441
|
|
- https://twitter.com/JohnLaTwC/status/1223292479270600706
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md
|
|
status: experimental
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1216
|