This note documents detection patterns related to Script Host Abuse within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects wscript.exe / cscript.exe execution. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for script host execution. |
| Sysmon | 11 | File create | High | Script drops, temporary outputs, payload staging. |
| Sysmon | 3 | Network connection | High | Script-based download or beaconing. |
| Sysmon | 7 | Image loaded | Medium | DLL/script engine context. |
| PowerShell | 4104 | Script block logging | Medium | Useful when scripts launch PowerShell. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Office launches script host | winword.exe -> wscript.exe | Critical | Macro chain signal. |
| Script host launches shell | cmd / powershell child | Critical | Multi-stage execution. |
| Remote script path | UNC / URL / temp script | Critical | Strong malicious clue. |
| Hidden execution | /B, //E:jscript, //nologo | High | Common stealth flags. |
| Script in temp/AppData | User profile staging | High | Common attacker path. |
| Short-lived script host | Fast launch and exit | High | Automation clue. |
Common Tools
| Tool | Usage |
|---|---|
| wscript.exe | GUI script host |
| cscript.exe | Console script host |
| .vbs | VBScript execution |
| .js | JScript execution |
| .wsf | Windows Script File |
| mshta.exe | Adjacent script execution |
Relevant Artifacts
- Security Event ID 4688
- Sysmon Event IDs 1, 3, 7, 11
- Prefetch:
WSCRIPT.EXECSCRIPT.EXE
- Script files:
.vbs.js.wsf
- Amcache / ShimCache
- MFT / USN for script location
- EDR process tree
MITRE ATT&CK References
- T1059.005 Visual Basic
- T1059.007 JavaScript
Decision Tree
-
Which script host?
- wscript
- cscript
-
Script location?
- Temp
- AppData
- Network share
-
Parent suspicious?
- Office
- Browser
- Shell
-
Child process follows?
- PowerShell
- cmd
- LOLBIN
-
Expand:
- Script content
- Network activity
- Persistence
-
Scope:
- Single script
- Multi-stage chain
- Campaign artifact
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4688
| where NewProcessName has_any ("wscript.exe","cscript.exe")
| project TimeGenerated, Computer, ParentProcessName, CommandLine
Sysmon
| where EventID == 1
| where Image has_any ("\\wscript.exe","\\cscript.exe")
| project TimeGenerated, Computer, ParentImage, CommandLine
EQL
process where process.name in ("wscript.exe","cscript.exe")
sequence by host.name with maxspan=5m
[ process where process.name in ("wscript.exe","cscript.exe") ]
[ process where process.parent.name in ("wscript.exe","cscript.exe") ]
Sigma
title: Script Host Abuse Detection
id: 4e6a1d25-script-host
status: experimental
description: Detects suspicious Windows Script Host execution
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: security
detection:
selection:
NewProcessName|endswith:
- '\wscript.exe'
- '\cscript.exe'
condition: selection
fields:
- ParentProcessName
- CommandLine
falsepositives:
- Administrative scripts
level: high
tags:
- attack.execution
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Script host monitoring | Alert on suspicious parents | Critical | High-value signal |
| Script file control | Restrict script execution | High | Reduce abuse |
| Command-line retention | Preserve arguments | Critical | Essential context |
| Temp path monitoring | Watch user profile scripts | High | Common attacker path |
| EDR lineage | Track script child chains | Critical | Best visibility |