Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS

Hunt Hypothesis

Detects execution of the built-in script located in “C:\Windows\System32\gatherNetworkInfo.vbs”. Which can be used to gather information about the target machine

Detection Rule

Sigma (Original)

title: Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
id: 07aa184a-870d-413d-893a-157f317f6f58
related:
    - id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate
      type: similar
    - id: 575dce0c-8139-4e30-9295-1ee75969f7fe # ProcCreation LOLBIN
      type: similar
status: test
description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
references:
    - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
    - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
    - attack.discovery
    - attack.execution
    - attack.t1615
    - attack.t1059.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: 'gatherNetworkInfo.vbs'
    filter:
        Image|endswith:
            - '\cscript.exe'
            - '\wscript.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessCommandLine contains "gatherNetworkInfo.vbs" and (not((TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\wscript.exe")))

Required Data Sources

False Positive Guidance

• Unknown

MITRE ATT&CK Context

• Tactic: Discovery
• Tactic: Execution
• Technique: T1615 — T1615
• Technique: T1059.005 — T1059.005

References

• https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
• https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
• SigmaHQ Rule