← Back to SOC feed Coverage →

Potential Dropper Script Execution Via WScript/CScript/MSHTA

sigma MEDIUM SigmaHQ
T1059.005T1059.007
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-23T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects wscript/cscript/mshta executions of scripts located in user directories

Detection Rule

Sigma (Original)

title: Potential Dropper Script Execution Via WScript/CScript/MSHTA
id: cea72823-df4d-4567-950c-0b579eaf0846
related:
    - id: 1e33157c-53b1-41ad-bbcc-780b80b58288
      type: similar
status: test
description: Detects wscript/cscript/mshta executions of scripts located in user directories
references:
    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
    - https://redcanary.com/blog/gootloader/
    - https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems), Dave Johnson
date: 2019-01-16
modified: 2026-02-17
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_exec:
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
            - '\mshta.exe'
    selection_paths:
        CommandLine|contains:
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Tmp\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\Temp\'
            - '\Start Menu\Programs\Startup\'
            - '\Temporary Internet'
            - '\Windows\Temp'
            - '%LocalAppData%\Temp\'
            - '%TEMP%'
            - '%TMP%'
    selection_ext:
        CommandLine|contains:
            - '.hta'
            - '.js'
            - '.jse'
            - '.vba'
            - '.vbe'
            - '.vbs'
            - '.wsf'
            - '.wsh'
    condition: all of selection_*
falsepositives:
    - Some installers might generate a similar behavior. An initial baseline is required
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessName endswith "\\wscript.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\mshta.exe") and (TargetProcessCommandLine contains ":\\Perflogs\\" or TargetProcessCommandLine contains ":\\Temp\\" or TargetProcessCommandLine contains ":\\Tmp\\" or TargetProcessCommandLine contains ":\\Users\\Public\\" or TargetProcessCommandLine contains ":\\Windows\\Temp\\" or TargetProcessCommandLine contains "\\AppData\\Local\\Temp\\" or TargetProcessCommandLine contains "\\AppData\\Roaming\\Temp\\" or TargetProcessCommandLine contains "\\Start Menu\\Programs\\Startup\\" or TargetProcessCommandLine contains "\\Temporary Internet" or TargetProcessCommandLine contains "\\Windows\\Temp" or TargetProcessCommandLine contains "%LocalAppData%\\Temp\\" or TargetProcessCommandLine contains "%TEMP%" or TargetProcessCommandLine contains "%TMP%") and (TargetProcessCommandLine contains ".hta" or TargetProcessCommandLine contains ".js" or TargetProcessCommandLine contains ".jse" or TargetProcessCommandLine contains ".vba" or TargetProcessCommandLine contains ".vbe" or TargetProcessCommandLine contains ".vbs" or TargetProcessCommandLine contains ".wsf" or TargetProcessCommandLine contains ".wsh")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_mshta_dropper.yml