WScript or CScript Dropper - File
Detects a file ending in jse, vbe, js, vba, vbs, wsf, wsh written by cscript.exe or wscript.exe
Sigma rule (View on GitHub)
1title: WScript or CScript Dropper - File
2id: 002bdb95-0cf1-46a6-9e08-d38c128a6127
3related:
4 - id: cea72823-df4d-4567-950c-0b579eaf0846
5 type: derived
6status: test
7description: Detects a file ending in jse, vbe, js, vba, vbs, wsf, wsh written by cscript.exe or wscript.exe
8references:
9 - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)
10author: Tim Shelton
11date: 2022-01-10
12modified: 2026-02-17
13tags:
14 - attack.execution
15 - attack.t1059.005
16 - attack.t1059.007
17logsource:
18 category: file_event
19 product: windows
20detection:
21 selection:
22 Image|endswith:
23 - '\wscript.exe'
24 - '\cscript.exe'
25 TargetFilename|contains:
26 - ':\Perflogs\'
27 - ':\ProgramData\'
28 - ':\Temp\'
29 - ':\Tmp\'
30 - ':\Users\'
31 - ':\Windows\Temp\'
32 - '\AppData\Local\Temp'
33 - '\AppData\Roaming\Temp'
34 - '\Start Menu\Programs\Startup\'
35 - '\Temporary Internet'
36 TargetFilename|endswith:
37 - '.js'
38 - '.jse'
39 - '.vba'
40 - '.vbe'
41 - '.vbs'
42 - '.wsf'
43 - '.wsh'
44 condition: selection
45falsepositives:
46 - Unknown
47level: high
References
Related rules
- Potential Dropper Script Execution Via WScript/CScript/MSHTA
- AppLocker Prevented Application or Script from Running
- HackTool - Koadic Execution
- Adwind RAT / JRAT
- Adwind RAT / JRAT File Artifact