Detect Use of cmd.exe to Launch Script Interpreters

Description

This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

Medium (?)

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Execution

MITRE ATT&CK Techniques

Command and Scripting Interpreter

MITRE Threat Groups

APT19
APT32
APT39
Dragonfly 2.0
FIN5
FIN6
FIN7
Ke3chang
Molerats
OilRig
Stealth Falcon
Whitefly

Kill Chain Phases

Exploitation

Data Sources

Endpoint Detection and Response

   Help

Detect Use of cmd.exe to Launch Script Interpreters Help

Attackers often leverage various scripting languages to execute their attacks. In a Windows environment, the Windows Script Host is the tool that interprets the scripts and is included in all modern versions of Windows. The Windows Script Host is available as a command-line tool called "cscript.exe" or "wscript.exe." To detect this behavior, the search looks for process-creation events for cscript.exe or wscript.exe with a parent process of cmd.exe. The search will return the count, the first and last times this behavior was seen on a destination machine, and user and process information.