Author: Microsoft
Source: Wild
Threat: LOLBin
Wscript is a component of Windows Script Host (WSH), which provides an environment in which scripts can run either in GUI mode (wscript.exe) or command-line (cscript.exe). Wscript typically runs Windows script files (.wsf, .vbs, .js extensions).
EchoTrail Prevalence Score (EPS)
Rank Analysis
Host Prevalence
Execution Rank
Behavioral Analysis
Top Filenames
Top Paths
99.95 %
Top Network Ports
47.22 %
Ancestry Analysis
Top GrandParents
Top Parents
Top Children
Security Analysis
Wscript is often seen as the process being spawned to call malicious script files, regardless if the attack is targeted in nature or opportunistic e-crime. Cmd.exe is often the parent process, legitimate or otherwise, but the core malicious process may be Powershell or a custom RAT. Oftentimes in targeted or more human-driven, sophisticated attacks the malicious scripts will be VBScript (.vbs) files. Heuristically tracking malicious wscript processes can be quite difficult given the unpredictable nature in which they are called. Across many different IT environments, wscript parent and sometimes grandparent processes are generally not consistent. Child processes of wscript tend not to be consistent as well. As such, the likely most efficient use of wscript anomalies is as one factor in a correlation rule. In a phishing scenario utilizing malicious macros in a Microsoft Office document as the lure, one might find cscript or wscript being spawned to launch the malicious activity via scripts.