Potential Dropper Script Execution Via WScript/CScript/MSHTA
Detects wscript/cscript/mshta executions of scripts located in user directories
Sigma rule (View on GitHub)
1title: Potential Dropper Script Execution Via WScript/CScript/MSHTA
2id: cea72823-df4d-4567-950c-0b579eaf0846
3related:
4 - id: 1e33157c-53b1-41ad-bbcc-780b80b58288
5 type: similar
6status: test
7description: Detects wscript/cscript/mshta executions of scripts located in user directories
8references:
9 - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
10 - https://redcanary.com/blog/gootloader/
11 - https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
12author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems), Dave Johnson
13date: 2019-01-16
14modified: 2026-02-17
15tags:
16 - attack.execution
17 - attack.t1059.005
18 - attack.t1059.007
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_exec:
24 Image|endswith:
25 - '\wscript.exe'
26 - '\cscript.exe'
27 - '\mshta.exe'
28 selection_paths:
29 CommandLine|contains:
30 - ':\Perflogs\'
31 - ':\Temp\'
32 - ':\Tmp\'
33 - ':\Users\Public\'
34 - ':\Windows\Temp\'
35 - '\AppData\Local\Temp\'
36 - '\AppData\Roaming\Temp\'
37 - '\Start Menu\Programs\Startup\'
38 - '\Temporary Internet'
39 - '\Windows\Temp'
40 - '%LocalAppData%\Temp\'
41 - '%TEMP%'
42 - '%TMP%'
43 selection_ext:
44 CommandLine|contains:
45 - '.hta'
46 - '.js'
47 - '.jse'
48 - '.vba'
49 - '.vbe'
50 - '.vbs'
51 - '.wsf'
52 - '.wsh'
53 condition: all of selection_*
54falsepositives:
55 - Some installers might generate a similar behavior. An initial baseline is required
56level: medium
References
Related rules
- WScript or CScript Dropper - File
- AppLocker Prevented Application or Script from Running
- HackTool - Koadic Execution
- Adwind RAT / JRAT
- Adwind RAT / JRAT File Artifact