Wscript is often seen as the process being spawned to call malicious script files, regardless if the attack is targeted in nature or opportunistic e-crime. Cmd.exe is often the parent process, legitimate or otherwise, but the core malicious process may be Powershell or a custom RAT. Oftentimes in targeted or more human-driven, sophisticated attacks the malicious scripts will be VBScript (.vbs) files. Heuristically tracking malicious wscript processes can be quite difficult given the unpredictable nature in which they are called. Across many different IT environments, wscript parent and sometimes grandparent processes are generally not consistent. Child processes of wscript tend not to be consistent as well. As such, the likely most efficient use of wscript anomalies is as one factor in a correlation rule. In a phishing scenario utilizing malicious macros in a Microsoft Office document as the lure, one might find cscript or wscript being spawned to launch the malicious activity via scripts.