Windows Script Execution from Archive File
This rule detects attempts to execute Jscript/Vbscript files from archive files, a common method for delivering malicious scripts by identifying unusual parent-child process relationships where scripting utilities are launched from archive programs, indicating potential exploitation.
Attackers commonly use archive files to deliver malicious scripts, such as Jscript or Vbscript, to victims. This technique allows them to bypass initial security checks and execute code on the target system. This detection focuses on identifying instances where scripting utilities like wscript.exe are launched from archive programs like winrar.exe or 7zFM.exe, which could indicate malicious activity. This is especially relevant to environments where users frequently handle archive files, as it helps identify potentially malicious script execution originating from these sources. The rule leverages process creation events to identify these parent-child relationships and flag suspicious activity. The original detection rule was published on 2026-04-20 and has been actively maintained since 2025-08-20 by Elastic.
Attack Chain
- The user downloads an archive file (e.g., ZIP, RAR, 7z) containing a malicious script from a phishing email or compromised website.
- The user opens the archive file using an archiving program such as
explorer.exe,winrar.exe, or7zFM.exe. - The user extracts the malicious script (e.g., .js, .vbs) to a temporary directory, often within the user's
AppData\Local\Tempfolder. - The user (or an automated process) double-clicks the extracted script file.
wscript.exeis launched as a child process of the archiving program, such aswinrar.exeor7zFM.exe, to execute the script.- The malicious script executes commands, potentially downloading further payloads or performing other malicious activities.
- The script may establish a connection to a command-and-control (C2) server.
- The attacker gains control of the compromised system, potentially leading to data exfiltration or ransomware deployment.
Impact
Successful exploitation can lead to arbitrary code execution on the victim's machine, potentially resulting in data theft, system compromise, or ransomware infection. The impact can range from individual workstation compromise to wider network breaches, depending on the attacker's objectives and capabilities. Targeted sectors often include organizations where scripting is less monitored, and end-users are more likely to interact with archive files. The use of malicious scripts can bypass traditional security measures, leading to significant damage and disruption.
Recommendation
- Enable process creation logging for
wscript.exeand monitor its command-line arguments to detect suspicious script execution. This helps activate the rules below (log source:process_creation). - Deploy the Sigma rule "Windows Script Execution from Archive" to your SIEM to detect the execution of Jscript/Vbscript files from archive files (rule:
Windows Script Execution from Archive). - Block the temporary paths listed in the rule query to prevent the execution of scripts from common archive extraction locations. (content:
process.args) - Implement application whitelisting to restrict the execution of unauthorized scripts and scripting utilities, reducing the risk of similar threats in the future (recommendation).
Detection coverage 2
Windows Script Execution from Archive
mediumDetects the execution of scripts (VBScript, JScript) from archive files (ZIP, RAR, 7z) by monitoring the parent-child process relationship.
Suspicious WScript Execution from Archive Folders
mediumDetects suspicious script execution from common temporary archive folders using wscript.exe.
Detection queries are available on the platform. Get full rules →