Remote Session Script Exploitation

Last updated on:

About the rule

Rule Type

Advanced

Rule Description

This rule correlates VPN login events (from SIEM logs) with subsequent script engine executions (from EDR telemetry), where the script activity is allowed by AV but involves potentially abused tools like: wscript, cscript and mshta

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "Network VPN Logon Success" Action2: actionname = "Advanced Threat detected" AND (STATUS = "avc_allowed" AND COMMANDLINE contains "wscript,mshta,cscript") AND ENDPOINT_NAME = Action1.HOSTNAME AND USERNAME = Action1.USERNAME sequence:Action1 followedby Action2 within 60m select Action1.HOSTNAME,Action1.USERNAME,Action1.SOURCE_IP,Action1.REMOTEHOST,Action1.REMOTE_IP,Action1.SOURCE_COUNTRY,Action2.HOSTNAME,Action2.ENDPOINT_NAME,Action2.TYPE,Action2.STATUS,Action2.FILEPATH,Action2.USERNAME,Action2.PROCESSNAME,Action2.COMMANDLINE,Action2.DOMAIN

Detection

Execution Mode

realtime

Log Sources

Bitdefender