Add VBS dropper pattern from recent AgentTesla campaign#5859
Open
davidljohnson wants to merge 6 commits intoSigmaHQ:masterfrom
Open
Add VBS dropper pattern from recent AgentTesla campaign#5859davidljohnson wants to merge 6 commits intoSigmaHQ:masterfrom
davidljohnson wants to merge 6 commits intoSigmaHQ:masterfrom
Conversation
github-actions
bot
added
Rules
Review Needed
nasbench
requested changes
Feb 16, 2026
Comment on lines
+38
to
+48
| selection_startup: | ||
| CommandLine|contains: '\Start Menu\Programs\Startup\' | ||
| selection_ext: | ||
| CommandLine|contains: | ||
| - '.vbs' | ||
| - '.vbe' | ||
| - '.js' | ||
| - '.jse' | ||
| - '.wsf' | ||
| - '.wsh' | ||
| condition: selection_img and selection_startup and selection_ext |
Member
There was a problem hiding this comment.
While we do not have a dedicated rule for this path. We have rules that cover exec for wscript/cscript in interesting folders that we can use.
- cea72823-df4d-4567-950c-0b579eaf0846
- a6a39bdb-935c-4f0a-ab77-35f4bbf44d33
- 1228c958-e64e-4e71-92ad-7d429f4138ba
@swachchhanda000 can you take a look at these and merge them while also including the PR author addition.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aims to improve detection coverage for script-based droppers (notably recent AgentTesla-like patterns) by expanding existing Windows Sigma rules to match script interpreter execution and file writes from additional suspicious locations, including user Startup folders.
Changes:
- Expanded the existing WScript/CScript dropper rule to also cover
mshta.exe, additional suspicious paths (incl. Startup), and additional script extensions. - Broadened “script execution from env/suspicious folders” coverage to include Startup and more common user-profile subfolders.
- Refined the PowerShell temp-folder execution rule (scope, ATT&CK tag, and severity) and updated several rules’
modifiedtimestamps.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| rules/windows/process_creation/proc_creation_win_wscript_cscript_mshta_dropper.yml | Broadens script dropper execution detection (adds MSHTA, Startup path, more extensions/paths). |
| rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml | Extends suspicious-folder execution patterns to include Startup and more user-profile folders. |
| rules/windows/process_creation/proc_creation_win_powershell_script_exec_from_temp_folder.yml | Narrows to PowerShell only and updates ATT&CK tagging/severity and temp-folder patterns. |
| rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml | Broadens file-write detection scope (more locations and script extensions). |
| rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml | Adds .wsh extension coverage in the threat-hunting variant. |
Comments suppressed due to low confidence (5)
rules/windows/process_creation/proc_creation_win_wscript_cscript_mshta_dropper.yml:42
%LocalAppData%\Temp\includes a trailing backslash, which will miss command lines that reference the environment variable without a trailing separator (e.g.%LocalAppData%\Temp). Other rules in this repo use%LocalAppData%\Tempwithout the trailing\—please align to that (or include both variants).
rules/windows/process_creation/proc_creation_win_wscript_cscript_mshta_dropper.yml:38- PR description/changelog says this adds a new rule for Startup-folder script execution, but the implementation expands an existing rule ID (
cea72823-...) and several unrelated existing rules. If the intent is a distinct detection for Startup-folder execution at logon, please add a dedicated new rule file (with a new UUID) rather than repurposing/broadening this existing dropper rule.
rules/windows/process_creation/proc_creation_win_powershell_script_exec_from_temp_folder.yml:4 - Title/description capitalization and grammar: the repo typically uses "PowerShell" (capital S), and the phrasing "a potentially suspicious powershell script executions" is ungrammatical. Please update to consistent capitalization and singular/plural wording (e.g., "Detects potentially suspicious PowerShell script execution(s) ...").
rules/windows/process_creation/proc_creation_win_wscript_cscript_mshta_dropper.yml:7 - The description says scripts are located in "user directories", but the detection paths include system-wide locations like "\Windows\Temp" and "\Perflogs". Please adjust the description to match the broader set of locations being monitored (or narrow the path list if user-only was intended).
rules/windows/process_creation/proc_creation_win_wscript_cscript_mshta_dropper.yml:39 selection_pathscontains both:\Windows\Temp\and\Windows\Temp, which are redundant for aCommandLine|containsmatch and increase maintenance cost. Consider keeping just one canonical Windows Temp pattern (and similarly avoid duplicates in this list).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml
Show resolved
Hide resolved
swachchhanda000
approved these changes
Feb 19, 2026
Author
|
Thanks the work enhancing the logic of the existing rules @nasbench and @swachchhanda000. I'll be sure to check more closely for overlapping rules next time. Appreciate the attribution as well. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of the Pull Request
This rule detects the execution of scripts (.vbs, .vbe, .js, .jse, .wsf, .wsh) from user Startup folders via WScript or CScript. Existing rules cover the file drop to Startup folders (28208707) and WScript/CScript execution from Temp directories (cea72823), but there is currently no rule detecting the actual runtime execution of scripts from Startup folders at user logon.
This pattern was validated against a real AgentTesla sample ([JoeSandbox analysis](https://www.joesandbox.com/analysis/1864127/0/html)) where
beeish.vbsis dropped into the Startup folder and executed viaWScript.exeat logon to launch a staged payload from AppData.Changelog
new: Script Execution From Startup Folder Via WScript/CScript
Example Log Event
N/A - new rule, not a false positive fix.
Fixed Issues
N/A
SigmaHQ Rule Creation Conventions