title: Script Initiated Connection
id: 08249dc0-a28d-4555-8ba5-9255a198e08c
status: experimental
description: Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.
author: frack113
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
date: 2022/08/28
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith: 
            - '\wscript.exe'
            - '\cscript.exe'
    condition: selection
falsepositives:
    - Legitimate scripts
level: medium
tags:
    - attack.command_and_control
    - attack.t1105