The hypothesis is that an adversary is leveraging scheduled script execution to maintain persistence and exfiltrate data across the environment. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential long-term access and data leakage activities.
KQL Query
imProcessCreate
| where Process has "cscript.exe"
| extend FileName=tostring(split(Process, '\\')[-1])
| where FileName =~ "cscript.exe"
| extend removeSwitches = replace(@"/+[a-zA-Z0-9:]+", "", CommandLine)
| extend CommandLine = trim(@"[a-zA-Z0-9\\:""]*cscript(.exe)?("")?(\s)+", removeSwitches)
// handle case where script name is enclosed in " characters or is not enclosed in quotes
| extend ScriptName= iff(CommandLine startswith @"""",
extract(@"([:\\a-zA-Z_\-\s0-9\.()]+)(""?)", 0, CommandLine),
extract(@"([:\\a-zA-Z_\-0-9\.()]+)(""?)", 0, CommandLine))
| extend ScriptName=trim(@"""", ScriptName) , ScriptNameLength=strlen(ScriptName)
// extract remainder of commandline as script parameters:
| extend ScriptParams = iff(ScriptNameLength < strlen(CommandLine), substring(CommandLine, ScriptNameLength +1), "")
| summarize min(TimeGenerated), count() by Dvc, User, ScriptName, ScriptParams, EventVendor, EventProduct
| order by count_ asc nulls last
| extend timestamp = min_TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User
id: bd89c7a0-76cb-4fa1-bc64-c366687cda9e
name: Cscript script daily summary breakdown (Normalized Process Events)
description: |
'breakdown of scripts running in the environment'
requiredDataConnectors: []
tactics:
- Execution
query: |
imProcessCreate
| where Process has "cscript.exe"
| extend FileName=tostring(split(Process, '\\')[-1])
| where FileName =~ "cscript.exe"
| extend removeSwitches = replace(@"/+[a-zA-Z0-9:]+", "", CommandLine)
| extend CommandLine = trim(@"[a-zA-Z0-9\\:""]*cscript(.exe)?("")?(\s)+", removeSwitches)
// handle case where script name is enclosed in " characters or is not enclosed in quotes
| extend ScriptName= iff(CommandLine startswith @"""",
extract(@"([:\\a-zA-Z_\-\s0-9\.()]+)(""?)", 0, CommandLine),
extract(@"([:\\a-zA-Z_\-0-9\.()]+)(""?)", 0, CommandLine))
| extend ScriptName=trim(@"""", ScriptName) , ScriptNameLength=strlen(ScriptName)
// extract remainder of commandline as script parameters:
| extend ScriptParams = iff(ScriptNameLength < strlen(CommandLine), substring(CommandLine, ScriptNameLength +1), "")
| summarize min(TimeGenerated), count() by Dvc, User, ScriptName, ScriptParams, EventVendor, EventProduct
| order by count_ asc nulls last
| extend timestamp = min_TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User
| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
Scenario: System administrators run a scheduled PowerShell script using cscript to generate a daily summary report for internal auditing.
Filter/Exclusion: Exclude events where the script path contains "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" or where the process is initiated by a known admin service account.
Scenario: A legitimate system maintenance task uses cscript to execute a VBScript that updates system logs or cleans temporary files.
Filter/Exclusion: Exclude events where the script is located in "C:\Windows\System32\” or where the user is a member of the Administrators group and the script is signed by a trusted certificate.
Scenario: A third-party monitoring tool runs a daily script via cscript to collect performance metrics from the environment.
Filter/Exclusion: Exclude events where the script is located in a known monitoring tool directory (e.g., "C:\Program Files\MonitoringTool\scripts\") and the process is initiated by the tool’s service account.
Scenario: An IT support team uses cscript to run a script that generates a summary of active processes for troubleshooting purposes.
Filter/Exclusion: Exclude events where the script is located in "C:\SupportTools\” and the user is a member of the ITSupport group.
Scenario: A scheduled job runs a VBScript via cscript to generate a daily summary of script execution logs for compliance purposes.
Filter/Exclusion: Exclude events where the script is located in "C:\ScheduledJobs\” and the job is associated with a known compliance or reporting service.