heroui logo

GatherNetworkInfo.VBS Reconnaissance Script Output

Sigma Rules

View Source
Summary
The detection rule is designed to identify the creation of files resulting from the execution of the built-in Windows reconnaissance script located at "C:\Windows\System32\gatherNetworkInfo.vbs". This script is often used by attackers to gather network-related information for reconnaissance purposes. The detection logic specifies that it will trigger when the target filename begins with "C:\Windows\System32\config" and ends with specific file names associated with this script's output, which are Hotfixinfo.txt, netiostate.txt, sysportslog.txt, and VmSwitchLog.evtx. The detection focuses on Windows systems, utilizing file event logs to monitor the potentially malicious activity as it may indicate a breach or unauthorized scanning of the network environment. The rule aims to alert cybersecurity teams about possible reconnaissance activity that may precede a more serious attack, thus allowing for proactive security measures.
Categories
  • Windows
  • Endpoint
Data Sources
  • File
Created: 2023-02-08