cscli scenarios install sigmahq/proc_creation_win_lolbin_manage_bde1type: trigger2name: sigmahq/proc_creation_win_lolbin_manage_bde3description: |4 Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\wscript.exe' || evt.Parsed.OriginalFileName == 'wscript.exe') && evt.Parsed.CommandLine contains 'manage-bde.wsf' || (evt.Parsed.ParentImage endsWith '\\cscript.exe' || evt.Parsed.ParentImage endsWith '\\wscript.exe') && evt.Parsed.ParentCommandLine contains 'manage-bde.wsf' && not (evt.Parsed.Image endsWith '\\cmd.exe'))7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t12161516 label: "Potential Manage-bde.wsf Abuse To Proxy Execution"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324