Since cscript is a native Windows utility for running script files, it inevitably is pulled into attack scenarios when a malicious script needs to execute. In a phishing scenario utilizing malicious macros in a Microsoft Office document as the lure, one might find cscript or wscript being spawned to launch the malicious activity via scripts. In certain IT environments, profiling parents or grandparents of cscript could reveal a predictable baseline of legitimate cscript usage, thereby allowing one to more successfully look for ancestral anomalies.