Remote File Download via Script Interpreter
The rule identifies built-in Windows script interpreters, specifically cscript.exe or wscript.exe, being used to download an executable file from a remote destination, often employed by attackers for initial access or to deploy secondary payloads.
Attackers frequently leverage Windows Script Host (WSH) scripts, such as those executed by cscript.exe and wscript.exe, to facilitate their operations within a compromised environment. These scripts can act as initial access vectors, serving as droppers for subsequent payloads, or they can be used to download tools and utilities necessary for lateral movement and privilege escalation. This activity typically begins post-exploitation, as the attacker seeks to establish a persistent foothold or expand their control within the network. This detection focuses on identifying instances where these script interpreters are used to retrieve executable files (e.g., .exe, .dll) from remote locations. The rule specifically targets the anomalous use of cscript.exe and wscript.exe to download executable files, distinguishing it from legitimate uses of these tools.
Attack Chain
- An attacker gains initial access to a Windows system through an external vector.
- The attacker executes
cscript.exeorwscript.exe. - The script interpreter initiates a network connection to a remote server over HTTP/HTTPS, avoiding DNS resolution for obfuscation.
- The script downloads a malicious executable file (e.g., .exe, .dll, .ps1) to the compromised host.
- The downloaded file is saved to disk, often in a temporary directory or a location accessible to the attacker.
- The script may then execute the downloaded file, initiating further malicious activity.
- The executed payload establishes persistence, moves laterally, or exfiltrates data.
- The attacker achieves their objective, such as data theft or system compromise.
Impact
Successful exploitation can lead to the installation of malware, backdoors, or other malicious tools on the compromised system. This can enable attackers to gain persistent access, steal sensitive data, or disrupt business operations. The use of scripting engines like cscript.exe and wscript.exe allows attackers to bypass traditional security controls that focus on executable files, making detection more challenging. Organizations that fail to detect and respond to this activity risk significant financial and reputational damage.
Recommendation
- Enable and monitor Windows event logs, specifically Sysmon, to capture process creation, network connections, and file creation events, as indicated by the
logs-windows.sysmon_operational-*index. - Implement the provided Sigma rule to detect the execution of
cscript.exeorwscript.exefollowed by the creation of executable files, tuning for your specific environment. - Enrich network event logs with threat intelligence to identify connections to known malicious IPs or domains, correlating with network connections initiated by
cscript.exeorwscript.exe. - Monitor file creation events for executable files downloaded to suspicious locations, such as temporary directories or user profiles, in conjunction with process execution by
cscript.exeorwscript.exe.
Detection coverage 2
Detect Remote File Download via CScript or WScript
mediumDetects the execution of cscript.exe or wscript.exe followed by a network connection and file creation of a potentially malicious executable.
Remote File Download by Script Interpreter (EQL)
mediumIdentifies when a script interpreter (cscript.exe or wscript.exe) downloads an executable file from a remote destination using EQL.
Detection queries are available on the platform. Get full rules →