Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumtest

WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Michael HaagCreated Wed Jan 16Updated Mon May 151e33157c-53b1-41ad-bbcc-780b80b58288windows
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - OriginalFileName:
              - 'wscript.exe'
              - 'cscript.exe'
        - Image|endswith:
              - '\wscript.exe'
              - '\cscript.exe'
    selection_cli:
        CommandLine|contains:
            - '.js'
            - '.jse'
            - '.vba'
            - '.vbe'
            - '.vbs'
            - '.wsf'
    condition: all of selection_*
False Positives

Some additional tuning is required. It is recommended to add the user profile path in CommandLine if it is getting too noisy.

References
1
Resolving title…
thedfirreport.com
2
Resolving title…
redcanary.com
MITRE ATT&CK

Other

detection.threat-hunting
Related Rules
Similar

23250293-eed5-4c39-b57a-841c8933a57d

Rule not found
DerivedDetectionmedium

Potential Dropper Script Execution Via WScript/CScript

Detects wscript/cscript executions of scripts located in user directories

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
1e33157c-53b1-41ad-bbcc-780b80b58288
Status
test
Level
medium
Type
Threat Hunt
Created
Wed Jan 16
Modified
Mon May 15
Author
Michael Haag
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml
Raw Tags
attack.executionattack.t1059.005attack.t1059.007detection.threat-hunting
View on GitHub