Detect Use of cmd.exe to Launch Script Interpreters
This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine
This content is not mapped to any local saved search. Add mapping
Detect Use of cmd.exe to Launch Script Interpreters Help
Attackers often leverage various scripting languages to execute their attacks. In a Windows environment, the Windows Script Host is the tool that interprets the scripts and is included in all modern versions of Windows. The Windows Script Host is available as a command-line tool called "cscript.exe" or "wscript.exe." To detect this behavior, the search looks for process-creation events for cscript.exe or wscript.exe with a parent process of cmd.exe. The search will return the count, the first and last times this behavior was seen on a destination machine, and user and process information.