The hypothesis is that the detection of newly created files resulting from executing a built-in reconnaissance script indicates an adversary is gathering network information to map the environment. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential reconnaissance activities early and prevent further exploitation.
Detection Rule
title: GatherNetworkInfo.VBS Reconnaissance Script Output
id: f92a6f1e-a512-4a15-9735-da09e78d7273
related:
- id: 575dce0c-8139-4e30-9295-1ee75969f7fe # ProcCreation LOLBIN
type: similar
- id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp
type: similar
status: test
description: Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
references:
- https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
- https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
- attack.discovery
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\config'
TargetFilename|endswith:
- '\Hotfixinfo.txt'
- '\netiostate.txt'
- '\sysportslog.txt'
- '\VmSwitchLog.evtx'
condition: selection
falsepositives:
- Unknown
level: medium
imFileEvent
| where TargetFileName startswith "C:\\Windows\\System32\\config" and (TargetFileName endswith "\\Hotfixinfo.txt" or TargetFileName endswith "\\netiostate.txt" or TargetFileName endswith "\\sysportslog.txt" or TargetFileName endswith "\\VmSwitchLog.evtx")Scenario: System Update Scheduled Job
Description: A legitimate scheduled job runs a script to gather system information as part of a routine update process.
Filter/Exclusion: Exclude files created by the Update.exe or WindowsUpdate service, or filter based on the presence of Update in the file name or path.
Scenario: Admin Task for Inventory Collection
Description: An administrator uses a script (e.g., PsInventory.ps1) to collect system information for asset management purposes.
Filter/Exclusion: Exclude files created by scripts located in the C:\Windows\System32\ directory or those with a known admin tool signature like PsInventory.
Scenario: PowerShell Script for Network Discovery
Description: A PowerShell script (e.g., Get-NetFirewallRule, Test-NetConnection) is used to gather network configuration data.
Filter/Exclusion: Exclude files with .ps1 extensions or those executed from the C:\Windows\System32\WindowsPowerShell\v1.0\ directory.
Scenario: Third-Party Compliance Tool Execution
Description: A third-party tool (e.g., Splunk, SolarWinds) runs a script to gather network information for compliance reporting.
Filter/Exclusion: Exclude files created by known compliance tools or those with the tool’s executable name in the file path.
Scenario: User-Initiated System Information Request
Description: A user runs a script (e.g., systeminfo.exe) to check system details for troubleshooting.
Filter/Exclusion: Exclude files created by systeminfo.exe or those with the systeminfo keyword in the file name or command line.