Windows Script Host Executing PowerShell
Detects PowerShell execution initiated by cscript.exe or wscript.exe, commonly used by attackers for initial access or payload delivery.
Attackers frequently leverage Windows Script Host (WSH) via cscript.exe and wscript.exe to execute malicious PowerShell scripts. This technique serves as an initial access vector or a method to download and execute subsequent payloads. This activity is often observed when attackers use scripts as droppers to download tools and utilities needed to accomplish their objectives, such as lateral movement or data exfiltration. This behavior warrants investigation as it deviates from typical user activity and often indicates malicious intent. The Elastic detection rule "Windows Script Executing PowerShell", updated on 2026/04/07, identifies this pattern, providing a valuable signal for potential compromise.
Attack Chain
- The user receives a malicious document or link via phishing (T1566.001).
- The user opens the document or clicks the link, triggering the execution of an embedded script.
wscript.exeorcscript.exeis launched to interpret and execute the malicious script (T1059.005, T1059.007).- The script executes a PowerShell command (T1059.001).
powershell.exeis launched as a child process ofwscript.exeorcscript.exe.- The PowerShell command downloads a secondary payload from a remote server.
- The downloaded payload is executed, potentially establishing persistence or conducting further malicious activities.
- The attacker gains initial access and proceeds with lateral movement or data exfiltration.
Impact
Successful exploitation leads to initial access within the targeted environment, potentially affecting numerous systems. This could result in data breaches, system compromise, and operational disruption. The execution of malicious PowerShell scripts can lead to the installation of backdoors, ransomware deployment, or data exfiltration. The impact is significant, especially in environments where WSH usage is not regularly monitored or restricted.
Recommendation
- Enable process creation logging (Sysmon or equivalent) to capture the parent-child relationship between
cscript.exe/wscript.exeandpowershell.exeto activate the rules below. - Implement the Sigma rule "Detect PowerShell Launched by Script Host" to identify instances of this behavior in your environment.
- Review and restrict the usage of
cscript.exeandwscript.exewhere possible, as these are often abused by attackers and rarely needed for legitimate business operations. - Investigate any alerts generated by the Sigma rule, focusing on the commands executed by PowerShell and the origin of the initial script.
Detection coverage 2
Detect PowerShell Launched by Script Host
mediumDetects powershell.exe being launched as a child process of wscript.exe or cscript.exe
Detect wscript/cscript executing unusual files
lowDetects wscript.exe or cscript.exe executing files from unusual locations
Detection queries are available on the platform. Get full rules →