EchoTrail

cscript.exe

Author: Microsoft

Source: Wild

Threat: LOLBin

Summary

Cscript starts a script so that it runs in a command-line environment. Cscript is a component of Windows Script Host (WSH), which provides an environment in which scripts can run either in GUI mode (wscript.exe) or command-line (cscript.exe).

EchoTrail Prevalence Score (EPS)

73.24

Rank Analysis

Host Prevalence

61.8%

Execution Rank

26th

Behavioral Analysis

Top Hashes

948dfec96312c70ac2a634bec1d13fc607388daa51d63dbb69db813ad1548719

41.15 %

Top Paths

C:\Windows\System32

99.87 %

Top Network Ports

97.42 %

Ancestry Analysis

Top GrandParents

Top Parents

Top Children

Security Analysis

Intel

Since cscript is a native Windows utility for running script files, it inevitably is pulled into attack scenarios when a malicious script needs to execute. In a phishing scenario utilizing malicious macros in a Microsoft Office document as the lure, one might find cscript or wscript being spawned to launch the malicious activity via scripts. In certain IT environments, profiling parents or grandparents of cscript could reveal a predictable baseline of legitimate cscript usage, thereby allowing one to more successfully look for ancestral anomalies.