title: Suspicious Runscripthelper.exe
id: eca49c87-8a75-4f13-9c73-a5a29e845f03
status: experimental
description: Detects execution of powershell scripts via Runscripthelper.exe
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runscripthelper.yml
author: Victor Sergeev, oscd.community
date: 2020/10/09
logsource:
    category: process_creation
    product: windows
detection:
    image_path:
        Image|endswith: '\Runscripthelper.exe'
    cmd:
        CommandLine|contains: 'surfacecheck'
    condition: image_path and cmd
fields:
    - CommandLine
tags:
    - attack.execution
    - attack.t1059
    - attack.defense_evasion
    - attack.t1202
falsepositives:
    - Unknown
level: medium