Mandiant on Windows Scripting Host

Mandiant has a great post on their blog discussing some attempts by malware to maintain persistence on a host through utilization of the Windows Scripting Host (WSH) and startup folder:

In this recent case, we identified a novel technique that indirectly loads malicious scripts by means of LNK files in a user’s start-up folder. The LNK file was designed to invoke the Windows scripting host (WSH). The WSH comes in both a GUI version, “wscript.exe”, and a command-line version, “cscript.exe”. The WSH can interpret Visual Basic scripts, commonly denoted by the file extension “.vbs”, and Jscripts (Microsoft’s implementation of JavaScript), commonly denoted by the file extension “.js”. The malicious LNK file invoked “wscript.exe” to interpret a JScript file stored within a specific user’s profile.

Great stuff, including some indicators of compromise (IOC) and Snort rules to attempt to detect these situations, though the IOCs will be far more effective at this than the Snort rule.