detection.wiki

Detection rules › Sigma

VBScript Payload Stored in Registry

Severity
high
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects VBScript content stored into registry keys as seen being used by UNC2452 group

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege EscalationT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: selection

or:
Details|contains: CreateObject
Details|contains: 'Execute('
Details|contains: RunHTMLApplication
Details|contains: 'jscript:'
Details|contains: 'mshtml,'
Details|contains: 'vbscript:'
Details|contains: window.close
TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion'

Stage 2: not 1 of filter*

or:
or:
Details|contains: '<\Microsoft.mshtml,culture='
Details|contains: '<\Microsoft.mshtml,fileVersion='
Details|contains: '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll'
Details|contains: _mshtml_dll_
Image|endswith: '\msiexec.exe'
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\'
TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailsmatch
  • <\Microsoft.mshtml,culture=
  • <\Microsoft.mshtml,fileVersion=
  • CreateObject
  • Execute(
  • RunHTMLApplication
  • \Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll
  • _mshtml_dll_
  • jscript:
  • mshtml,
  • vbscript:
  • window.close
Imageends_with
  • \msiexec.exe corpus 21 (sigma 21)
TargetObjectmatch
  • Software\Microsoft\Windows\CurrentVersion
  • Software\Microsoft\Windows\CurrentVersion\Run
  • \SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\