← Back to Explore
sigmamediumHunting
WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf, .wsh) by Wscript/Cscript.
Detection Query
selection_img:
- OriginalFileName:
- wscript.exe
- cscript.exe
- Image|endswith:
- \wscript.exe
- \cscript.exe
selection_cli:
CommandLine|contains:
- .js
- .jse
- .vba
- .vbe
- .vbs
- .wsf
- .wsh
condition: all of selection_*
Author
Michael Haag
Created
2019-01-16
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1059.005attack.t1059.007detection.threat-hunting
Raw Content
title: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
id: 1e33157c-53b1-41ad-bbcc-780b80b58288
related:
- id: 23250293-eed5-4c39-b57a-841c8933a57d
type: obsolete
- id: cea72823-df4d-4567-950c-0b579eaf0846
type: derived
status: test
description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf, .wsh) by Wscript/Cscript.
references:
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://redcanary.com/blog/gootloader/
author: Michael Haag
date: 2019-01-16
modified: 2026-02-17
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName:
- 'wscript.exe'
- 'cscript.exe'
- Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_cli:
CommandLine|contains:
- '.js'
- '.jse'
- '.vba'
- '.vbe'
- '.vbs'
- '.wsf'
- '.wsh'
condition: all of selection_*
falsepositives:
- Some additional tuning is required. It is recommended to add the user profile path in CommandLine if it is getting too noisy.
level: medium