high advisory January 2, 2024

WScript or CScript Dropper

The WScript or CScript Dropper technique involves using cscript.exe or wscript.exe to write malicious script files (js, jse, vba, vbe, vbs, wsf, wsh) to suspicious locations on a Windows system for later execution.

The WScript or CScript Dropper technique is a method employed by attackers to introduce malicious script files into a system. It leverages the built-in Windows scripting hosts, cscript.exe and wscript.exe, to write files with extensions commonly associated with scripting languages (e.g., .js, .vbs, .wsf). These scripts are often written to temporary or user-accessible directories, such as \Temp\, \AppData\, or \Startup\, where they can be executed later, either manually or…

Detection coverage 2

Detect WScript/CScript Writing Suspicious Files

high

Detects the writing of files ending in jse, vbe, js, vba, vbs, wsf, wsh by cscript.exe or wscript.exe into suspicious directories.

sigma tactics: execution techniques: T1059.005, T1059.007 sources: file_event, windows

Detect CScript/WScript launching from unusual process

medium

Detects CScript or WScript being launched by a process that isn't explorer.exe or cmd.exe

sigma tactics: execution techniques: T1059.005, T1059.007 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →