The hypothesis is that an adversary is using cscript.exe or wscript.exe to execute malicious scripts (such as .jse, .vbs, or .vba files) to deliver payloads or execute arbitrary code. SOC teams should proactively hunt for this behavior in Azure Sentinel because the use of script execution via these interpreters is a common technique in malware deployment and persistence, often indicating a potential compromise.
Detection Rule
title: WScript or CScript Dropper - File
id: 002bdb95-0cf1-46a6-9e08-d38c128a6127
related:
- id: cea72823-df4d-4567-950c-0b579eaf0846
type: derived
status: test
description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
references:
- WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)
author: Tim Shelton
date: 2022-01-10
modified: 2022-12-02
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
TargetFilename|startswith:
- 'C:\Users\'
- 'C:\ProgramData'
TargetFilename|endswith:
- '.jse'
- '.vbe'
- '.js'
- '.vba'
- '.vbs'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where (TargetFilePath endswith "\\wscript.exe" or TargetFilePath endswith "\\cscript.exe") and (TargetFileName startswith "C:\\Users\\" or TargetFileName startswith "C:\\ProgramData") and (TargetFileName endswith ".jse" or TargetFileName endswith ".vbe" or TargetFileName endswith ".js" or TargetFileName endswith ".vba" or TargetFileName endswith ".vbs")Scenario: Scheduled Task Using CScript for Automation
Description: A legitimate scheduled task uses cscript.exe to run a .vbs script for system maintenance or reporting.
Filter/Exclusion: Exclude files located in the C:\Windows\Tasks directory or files with a known task name in the Task Scheduler database.
Scenario: Microsoft Office Macro Execution
Description: A user runs a .vba file via cscript.exe to execute a macro in an Excel or Word document.
Filter/Exclusion: Exclude files located in the Microsoft Office installation directory (e.g., C:\Program Files\Microsoft Office\) or files with a .vba extension associated with Office applications.
Scenario: PowerShell Script Execution via CScript
Description: A PowerShell script is converted to a .vbs file and executed via cscript.exe as part of a legacy compatibility process.
Filter/Exclusion: Exclude files that contain PowerShell syntax or are located in directories used for script conversion (e.g., C:\Temp\PowerShellToVBS).
Scenario: System Administration Script via CScript
Description: An admin uses cscript.exe to run a .vbs script for system configuration or patch management.
Filter/Exclusion: Exclude files with a known admin task name or located in the C:\Windows\System32 directory.
Scenario: Legacy Application Compatibility Script
Description: A legacy application uses cscript.exe to run a .vbs script for compatibility with older systems.
Filter/Exclusion: Exclude files associated with known legacy applications or located in the application’s installation directory (e.g., C:\LegacyApp\Scripts).