Skip to content
Threat Feed
medium advisory

Windows Script Host Executing PowerShell

Detects PowerShell execution initiated by cscript.exe or wscript.exe, commonly used by attackers for initial access or payload delivery.

Attackers frequently leverage Windows Script Host (WSH) via cscript.exe and wscript.exe to execute malicious PowerShell scripts. This technique serves as an initial access vector or a method to download and execute subsequent payloads. This activity is often observed when attackers use scripts as droppers to download tools and utilities needed to accomplish their objectives, such as lateral movement or data exfiltration. This behavior warrants investigation as it deviates from typical user activity and often indicates malicious intent. The Elastic detection rule "Windows Script Executing PowerShell", updated on 2026/04/07, identifies this pattern, providing a valuable signal for potential compromise.

Attack Chain

  1. The user receives a malicious document or link via phishing (T1566.001).
  2. The user opens the document or clicks the link, triggering the execution of an embedded script.
  3. wscript.exe or cscript.exe is launched to interpret and execute the malicious script (T1059.005, T1059.007).
  4. The script executes a PowerShell command (T1059.001).
  5. powershell.exe is launched as a child process of wscript.exe or cscript.exe.
  6. The PowerShell command downloads a secondary payload from a remote server.
  7. The downloaded payload is executed, potentially establishing persistence or conducting further malicious activities.
  8. The attacker gains initial access and proceeds with lateral movement or data exfiltration.

Impact

Successful exploitation leads to initial access within the targeted environment, potentially affecting numerous systems. This could result in data breaches, system compromise, and operational disruption. The execution of malicious PowerShell scripts can lead to the installation of backdoors, ransomware deployment, or data exfiltration. The impact is significant, especially in environments where WSH usage is not regularly monitored or restricted.

Recommendation

  • Enable process creation logging (Sysmon or equivalent) to capture the parent-child relationship between cscript.exe/wscript.exe and powershell.exe to activate the rules below.
  • Implement the Sigma rule "Detect PowerShell Launched by Script Host" to identify instances of this behavior in your environment.
  • Review and restrict the usage of cscript.exe and wscript.exe where possible, as these are often abused by attackers and rarely needed for legitimate business operations.
  • Investigate any alerts generated by the Sigma rule, focusing on the commands executed by PowerShell and the origin of the initial script.

Detection coverage 2

Detect PowerShell Launched by Script Host

medium

Detects powershell.exe being launched as a child process of wscript.exe or cscript.exe

sigma tactics: execution, initial_access techniques: T1059.001, T1566.001 sources: process_creation, windows

Detect wscript/cscript executing unusual files

low

Detects wscript.exe or cscript.exe executing files from unusual locations

sigma tactics: execution, initial_access techniques: T1059.005, T1059.007 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →