From aa1824838fb16f8d52d219f6b0ebc3dadcfbfa97 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=9D=D0=B0=D1=82=D0=B0=D0=BB=D1=8C=D1=8F=20=D0=A8=D0=BE?=
 =?UTF-8?q?=D1=80=D0=BD=D0=B8=D0=BA=D0=BE=D0=B2=D0=B0?=
 <n.shornikova@izsoc.ru>
Date: Thu, 15 Oct 2020 17:59:43 +0300
Subject: [PATCH] Adding win_manage-bde_lolbas.yml Rule

---
 .../win_manage-bde_lolbas.yml                 | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 rules/windows/process_creation/win_manage-bde_lolbas.yml

diff --git a/rules/windows/process_creation/win_manage-bde_lolbas.yml b/rules/windows/process_creation/win_manage-bde_lolbas.yml
new file mode 100644
index 000000000..3dcdeac85
--- /dev/null
+++ b/rules/windows/process_creation/win_manage-bde_lolbas.yml
@@ -0,0 +1,25 @@
+title: Suspicious Usage of the Manage-bde.wsf Script
+id: c363385c-f75d-4753-a108-c1a8e28bdbda
+description: Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script
+status: experimental
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Manage-bde.yml
+    - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
+    - https://twitter.com/bohops/status/980659399495741441
+    - https://twitter.com/JohnLaTwC/status/1223292479270600706
+tags:
+    - attack.defense_evasion
+    - attack.t1216
+date: 2020/10/13
+author: oscd.community, Natalia Shornikova
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Commandline|contains|all:
+          - 'cscript'
+          - 'manage-bde.wsf'
+    condition: selection
+falsepositives: Unknown
+level: medium