Sigma rules for CVE-2020-8100
2 rules · scoped to cve · back to CVE-2020-8100
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious PowerShell Invocation From Script Engines
id: 95eadcb2-92e4-4ed1-9031-92547773a6db
status: test
description: Detects suspicious powershell invocations from interpreters or unusual programs
references:
- https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2023-01-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\wscript.exe'
- '\cscript.exe'
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
filter_health_service:
CurrentDirectory|contains: '\Health Service State\'
condition: selection and not 1 of filter_*
falsepositives:
- Microsoft Operations Manager (MOM)
- Other scripts
level: medium
title: MMC Loading Script Engines DLLs
id: a9c73e8b-3b2d-4c45-8ef2-5f9a9c9998ad
status: experimental
description: |
Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt
to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
- https://www.elastic.co/security-labs/grimresource
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1218.014
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\mmc.exe'
ImageLoaded|endswith:
- '\vbscript.dll'
- '\jscript.dll'
- '\jscript9.dll'
condition: selection
falsepositives:
- Legitimate MMC operations or extensions loading these libraries
level: medium