Remote Session Script Exploitation
Last updated on:
In this page
About the rule
Rule Type
Advanced
Rule Description
This rule correlates VPN login events (from SIEM logs) with subsequent script engine executions (from EDR telemetry), where the script activity is allowed by AV but involves potentially abused tools like: wscript, cscript and mshta
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Network VPN Logon Success"
Action2:
actionname = "Advanced Threat detected" AND (STATUS = "avc_allowed" AND COMMANDLINE contains "wscript,mshta,cscript") AND ENDPOINT_NAME = Action1.HOSTNAME AND USERNAME = Action1.USERNAME
sequence:Action1 followedby Action2 within 60m
select Action1.HOSTNAME,Action1.USERNAME,Action1.SOURCE_IP,Action1.REMOTEHOST,Action1.REMOTE_IP,Action1.SOURCE_COUNTRY,Action2.HOSTNAME,Action2.ENDPOINT_NAME,Action2.TYPE,Action2.STATUS,Action2.FILEPATH,Action2.USERNAME,Action2.PROCESSNAME,Action2.COMMANDLINE,Action2.DOMAIN
Detection
Execution Mode
realtime
Log Sources
Bitdefender


