The detection identifies a potentially malicious VBScript file being dropped by an adversary, which could be used for initial access or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they escalate.
YARA Rule
rule MiniDionis_VBS_Dropped
{
meta:
description = "Dropped File - 1.vbs"
author = "Florian Roth"
reference = "https://malwr.com/analysis/ZDc4ZmIyZDI4MTVjNGY5NWI0YzE3YjIzNGFjZTcyYTY/"
date = "2015-07-21"
hash = "97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646"
strings:
$s1 = "Wscript.Sleep 5000" ascii
$s2 = "Set FSO = CreateObject(\"Scripting.FileSystemObject\")" ascii
$s3 = "Set WshShell = CreateObject(\"WScript.Shell\")" ascii
$s4 = "If(FSO.FileExists(\"" ascii
$s5 = "then FSO.DeleteFile(\".\\" ascii
condition:
filesize < 1KB and all of them and $s1 in (0..40)
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate a routine task that involves creating a .vbs file as part of a script deployment.
Filter/Exclusion: Exclude files created by PowerShell scripts with a known execution context (e.g., ProcessName = "powershell.exe" and ParentProcessName = "explorer.exe" or svchost.exe).
Scenario: A scheduled task runs a legitimate .vbs script to perform system maintenance, such as log cleanup or registry updates.
Filter/Exclusion: Exclude files created by scheduled tasks with a known task name (e.g., TaskName = "System Maintenance Task" or TaskName = "Log Cleanup").
Scenario: A remote desktop session (RDP) is used to execute a .vbs script on a remote machine for configuration purposes.
Filter/Exclusion: Exclude files created from RDP sessions by checking the RemoteAddress field or the ParentProcessName = "mstsc.exe".
Scenario: A software deployment tool (e.g., Microsoft Endpoint Configuration Manager or SCCM) generates temporary .vbs files during package installation.
Filter/Exclusion: Exclude files created by known deployment tools (e.g., ProcessName = "smsts.exe" or ProcessName = "ccmexec.exe").
Scenario: A third-party application (e.g., Microsoft Excel or Outlook) generates a .vbs file as part of its normal operation, such as macro execution.
Filter/Exclusion: Exclude files created by known applications (e.g., ProcessName = "excel.exe" or ProcessName = "outlook.exe") or filter by file creation context (e.g., `FileCreationContext = “application-generated”