Cscript.exe Download -

title: Suspicious Cscript.exe Download Pattern id: 8f4b3a2c-1e5d-4b7a-9c2e-6f8a1b3d5e7f status: experimental description: Detects cscript.exe executing a script that makes a network request to download a file, often used in malware staging or LOLBins. references: - https://lolbas-project.github.io/lolbas/Binaries/Cscript/ - https://redcanary.com/blog/threat-detection/cscript-exe-download/ author: Your Name date: 2024-01-01 tags: - attack.t1059.005 - attack.command_and_control - attack.t1105 logsource: category: process_creation product: windows service: # optional, e.g., Sysmon Event ID 1 or Windows Security 4688 detection: selection: Image|endswith: '\cscript.exe' CommandLine|contains: - '.DownloadFile(' # DownloadFile method - 'MSXML2.ServerXMLHTTP' # XMLHTTP object - 'WinHttp.WinHttpRequest' - '.SaveToFile(' - '.open("GET",' # HTTP GET request - 'http://' - 'https://' condition: selection falsepositives: - Legitimate admin scripts that download updates or configuration files. - Software deployment tools using cscript for HTTP fetches. level: medium title: Cscript.exe Outbound Network Connection id: 7d2a1f9c-3e8b-4a2d-9c1e-5f7b8a2c3d4e status: experimental description: Detects cscript.exe making an outbound HTTP/HTTPS connection, indicative of script-based download activity. logsource: category: network_connection product: windows service: null detection: selection: Image|endswith: '\cscript.exe' DestinationPort: - 80 - 443 condition: selection level: medium Example Malicious Command (for testing) cscript.exe /nologo downloader.js With downloader.js containing: