Skip to content

MISP galaxy

Be8d1032 3452 4d44 83cb c7ece7d5a052

MISP galaxy

Home
Statistics
360net
360net
- 360.net Threat Actors
Ammunitions
Ammunitions
- Ammunitions
Android
Android
- Android
Atrm
Atrm
- Azure Threat Research Matrix
Attck4fraud
Attck4fraud
- attck4fraud
Backdoor
Backdoor
- Backdoor
Banker
Banker
- Banker
Bhadra framework
Bhadra framework
- Bhadra Framework
Botnet
Botnet
- Botnet
Branded vulnerability
Branded vulnerability
- Branded Vulnerability
Cancer
Cancer
- Cancer
Cert eu govsector
Cert eu govsector
- Cert EU GovSector
China defence universities
China defence universities
- China Defence Universities Tracker
Cmtmf attack pattern
Cmtmf attack pattern
- CONCORDIA Mobile Modelling Framework - Attack Pattern
Country
Country
- Country
Cryptominers
Cryptominers
- Cryptominers
Disarm actortypes
Disarm actortypes
- Actor Types
Disarm countermeasures
Disarm countermeasures
- Countermeasures
Disarm detections
Disarm detections
- Detections
Disarm techniques
Disarm techniques
- Techniques
Election guidelines
Election guidelines
- Election guidelines
Exploit kit
Exploit kit
- Exploit-Kit
Firearms
Firearms
- Firearms
First dns
First dns
- FIRST DNS Abuse Techniques Matrix
Handicap
Handicap
- Handicap
Intelligence agencies
Intelligence agencies
- Intelligence Agencies
Interpol dwva
Interpol dwva
- INTERPOL DWVA Taxonomy
Malpedia
Malpedia
- Malpedia
Microsoft activity group
Microsoft activity group
- Microsoft Activity Group actor
Misinfosec amitt misinformation pattern
Misinfosec amitt misinformation pattern
- Misinformation Pattern
Mitre atlas attack pattern
Mitre atlas attack pattern
- MITRE ATLAS Attack Pattern
Mitre atlas course of action
Mitre atlas course of action
- MITRE ATLAS Course of Action
Mitre attack pattern
Mitre attack pattern
- Attack Pattern
Mitre course of action
Mitre course of action
- Course of Action
Mitre data component
Mitre data component
- mitre-data-component
Mitre data source
Mitre data source
- mitre-data-source
Mitre ics assets
Mitre ics assets
- Assets
Mitre ics groups
Mitre ics groups
- Groups
Mitre ics levels
Mitre ics levels
- Levels
Mitre ics software
Mitre ics software
- Software
Mitre ics tactics
Mitre ics tactics
- Tactics
Mitre ics techniques
Mitre ics techniques
- Techniques
Mitre intrusion set
Mitre intrusion set
- Intrusion Set
Mitre malware
Mitre malware
- Malware
Mitre tool
Mitre tool
- mitre-tool
Naics
Naics
- NAICS
O365 exchange techniques
O365 exchange techniques
- o365-exchange-techniques
Online service
Online service
- online-service
Preventive measure
Preventive measure
- Preventive Measure
Producer
Producer
- Producer
Ransomware
Ransomware
- Ransomware
Rat
Rat
- RAT
Region
Region
- Regions UN M49
Rsit
Rsit
- rsit
Sector
Sector
- Sector
Sigma rules
Sigma rules
- Sigma-Rules
Social dark patterns
Social dark patterns
- Dark Patterns
Sod matrix
Sod matrix
- SoD Matrix
Stealer
Stealer
- Stealer
Surveillance vendor
Surveillance vendor
- Surveillance Vendor
Target information
Target information
- Target Information
Tds
Tds
- TDS
Tea matrix
Tea matrix
- Tea Matrix
Threat actor
Threat actor
- Threat Actor
Tidal campaigns
Tidal campaigns
- Tidal Campaigns
Tidal groups
Tidal groups
- Tidal Groups
Tidal references
Tidal references
- Tidal References
Tidal software
Tidal software
- Tidal Software
Tidal tactic
Tidal tactic
- Tidal Tactic
Tidal technique
Tidal technique
- Tidal Technique
Tmss
Tmss
- Threat Matrix for storage services
Tool
Tool
- Tool
Uavs
Uavs
- UAVs/UCAVs
Ukhsa culture collections
Ukhsa culture collections
- UKHSA Culture Collections

Hide Navigation Hide TOC

Wscript (be8d1032-3452-4d44-83cb-c7ece7d5a052)

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by Windows to execute scripts

Author: Oddvar Moe

Paths: * C:\Windows\System32\wscript.exe * C:\Windows\SysWOW64\wscript.exe

Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

Detection: * Sigma: proc_creation_win_wscript_cscript_script_exec.yml * Sigma: file_event_win_net_cli_artefact.yml * Sigma: image_load_susp_script_dotnet_clr_dll_load.yml * Elastic: defense_evasion_unusual_dir_ads.toml * Elastic: command_and_control_remote_file_copy_scripts.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: wscript_or_cscript_suspicious_child_process.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Wscript.exe executing code from alternate data streams * IOC: DotNet CLR libraries loaded into wscript.exe * IOC: DotNet CLR Usage Log - wscript.exe.log^{[Wscript.exe - LOLBAS Project]}

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Lazarus Group (0bc66e95-de93-4de7-b415-4041b7191f08)	Tidal Groups	Wscript (be8d1032-3452-4d44-83cb-c7ece7d5a052)	Tidal Software	1
Ember Bear (407274be-1820-4a84-939e-629313f4de1d)	Tidal Groups	Wscript (be8d1032-3452-4d44-83cb-c7ece7d5a052)	Tidal Software	1