← Back to Explore
sigmahighHunting
Cscript/Wscript Uncommon Script Extension Execution
Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
Detection Query
selection_img:
- OriginalFileName:
- wscript.exe
- cscript.exe
- Image|endswith:
- \wscript.exe
- \cscript.exe
selection_extension:
CommandLine|contains:
- .csv
- .dat
- .doc
- .gif
- .jpeg
- .jpg
- .png
- .ppt
- .txt
- .xls
- .xml
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-05-15
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1059.005attack.t1059.007
Raw Content
title: Cscript/Wscript Uncommon Script Extension Execution
id: 99b7460d-c9f1-40d7-a316-1f36f61d52ee
status: test
description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2023-06-19
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName:
- 'wscript.exe'
- 'cscript.exe'
- Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_extension:
CommandLine|contains:
# Note: add additional potential suspicious extension
# We could specify the "//E:" flag to avoid typos by admin. But since that's prone to blind spots via the creation of assoc it's better not to include it
- '.csv'
- '.dat'
- '.doc'
- '.gif'
- '.jpeg'
- '.jpg'
- '.png'
- '.ppt'
- '.txt'
- '.xls'
- '.xml'
condition: all of selection_*
falsepositives:
- Unknown
level: high