Skip to content
Threat Feed
high advisory

Suspicious PowerShell Execution via Windows Script Host

Adversaries may execute PowerShell commands through the Windows Script Host (wscript.exe or cscript.exe) using suspicious arguments, potentially bypassing traditional PowerShell execution policies and detection mechanisms.

Attackers might leverage Windows Script Host (WSH), specifically wscript.exe or cscript.exe, to execute PowerShell commands with obfuscated or malicious arguments. This technique enables the execution of PowerShell scripts without directly invoking powershell.exe, which can help evade detection based on standard PowerShell command-line monitoring. By using WSH, attackers can leverage its scripting capabilities to launch PowerShell and execute arbitrary code. The use of WSH as an intermediary can make it difficult to track the origin of PowerShell execution. This is especially relevant in environments where PowerShell execution is heavily monitored or restricted through execution policies.

Attack Chain

  1. Initial Access: An attacker gains initial access through an existing vulnerability or previously established persistence.
  2. Script Injection: The attacker crafts a malicious script (e.g., VBScript or JScript) designed to execute PowerShell commands.
  3. WSH Invocation: The attacker invokes wscript.exe or cscript.exe to execute the malicious script.
  4. PowerShell Execution: The script leverages the GetObject method to create a COM object that executes PowerShell commands via the Shell.Application object, effectively bypassing normal PowerShell execution channels.
  5. Command Obfuscation: The PowerShell commands within the script are often obfuscated using techniques like Base64 encoding or string manipulation to evade detection.
  6. Payload Delivery: The PowerShell commands download and execute a payload, such as a reverse shell or malware.
  7. Lateral Movement: The payload enables the attacker to move laterally within the network by using credentials or exploiting other vulnerabilities.
  8. Objective Achieved: The attacker accomplishes their objective, such as data exfiltration, system compromise, or ransomware deployment.

Impact

Successful exploitation can lead to arbitrary code execution, allowing attackers to compromise systems, steal sensitive data, or establish persistence within the network. Due to the nature of scripting engines, these attacks can bypass many conventional security controls. This can lead to widespread damage across the compromised environment. The impact includes data breaches, system downtime, and financial losses.

Detection coverage 2

Detect PowerShell Execution via Wscript with Suspicious Arguments

high

Detects the execution of PowerShell commands via Wscript.exe or Cscript.exe with suspicious arguments like encoded commands or bypass flags.

sigma tactics: execution techniques: T1059.001 sources: process_creation, windows

Detect Wscript/Cscript spawning PowerShell

medium

Detects when wscript.exe or cscript.exe are used as parent processes to execute PowerShell, which can indicate scripting abuse.

sigma tactics: execution techniques: T1059.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →