heroui logo

Wscript_Cscript Execution

Anvilogic Forge

View Source
Summary
This detection rule monitors the execution of Windows Script Host applications, specifically `wscript.exe` and `cscript.exe`. These processes are frequently utilized by threat actors to execute malicious VBScript or JScript code, enabling various forms of malicious behavior such as downloading additional malware, executing commands, or exfiltrating data. Notable threat actor groups associated with this activity include APT28 (Fancy Bear), APT29 (Cozy Bear), and other advanced persistent threat groups that are known to leverage scripting for their operations. The rule employs a regex pattern to identify scripts executed with either of these hosts based on their command line arguments, which can reveal suspicious or malicious activity aimed at Windows operating systems.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • Windows Registry
ATT&CK Techniques
  • T1105
  • T1059.005
  • T1082
  • T1547.001
  • T1059.007
Created: 2024-02-09