T1064

Scripting

Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. This deprecated technique (now superseded by T1059 Command and Scripting Interpreter) covered adversary use of scripting languages including VBScript, JavaScript, Windows Script Host, batch scripts, and macro-enabled Office documents. Scripts can be used to speed up operations, bypass process monitoring by interacting with the OS at an API level, and enable execution via spearphishing attachments containing malicious macros. Common attack patterns include VBScript/JScript execution via wscript.exe or cscript.exe, malicious Office macros spawning child processes, and batch scripts performing reconnaissance or lateral movement.

Microsoft Sentinel / Defender

kusto

let SuspiciousScriptPatterns = dynamic([
  "invoke-expression", "iex(", "downloadstring", "downloadfile",
  "net.webclient", "invoke-webrequest", "start-bitstransfer",
  "cmd /c", "cmd/c", "/c powershell", "wscript.shell",
  "createobject", "shell.application", "shellexecute",
  "certutil", "bitsadmin", "regsvr32", "mshta",
  "http://", "https://", "ftp://"
]);
let OfficeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "access.exe", "visio.exe"]);
let ScriptInterpreters = dynamic(["wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe"]);
// Branch 1: Office applications spawning script interpreters (macro execution)
let OfficeMacroExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (OfficeApps)
| where FileName has_any (ScriptInterpreters)
| extend DetectionType = "OfficeMacroSpawn"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Branch 2: Script interpreters with suspicious arguments
let SuspiciousScriptExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("wscript.exe", "cscript.exe")
| where ProcessCommandLine has_any (SuspiciousScriptPatterns)
    or ProcessCommandLine matches regex @"(?i)\.(vbs|vbe|js|jse|wsf|wsh|hta)\b"
| extend DetectionType = "SuspiciousScriptInterpreter"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Branch 3: MSHTA executing remote content or VBScript inline
let MshtaAbuse = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "mshta.exe"
| where ProcessCommandLine has_any ("vbscript:", "javascript:", "http://", "https://", "//", "\\\\")
| extend DetectionType = "MshtaRemoteExecution"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Branch 4: Cmd.exe spawned by Office apps or running obfuscated batch commands
let CmdBatchAbuse = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "cmd.exe"
| where InitiatingProcessFileName has_any (OfficeApps)
    or (ProcessCommandLine has_any ("^^", "&&", "||")
        and ProcessCommandLine has_any ("http", "certutil", "bitsadmin", "powershell", "wscript", "cscript"))
| extend DetectionType = "SuspiciousBatchCmd"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
union OfficeMacroExecution, SuspiciousScriptExec, MshtaAbuse, CmdBatchAbuse
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate software installers that use VBScript (wscript.exe) for install/uninstall automation, particularly older enterprise applications
IT administration scripts run via Group Policy or SCCM that use cscript.exe or wscript.exe for inventory or configuration tasks
Office add-ins and COM automation tools that legitimately spawn child processes from Word or Excel (e.g., mail-merge workflows, report generators)
Help desk and remote support tools (ConnectWise, TeamViewer) that may spawn cmd.exe or scripts from unusual parent processes
Security scanners and vulnerability assessment tools that invoke mshta.exe or script interpreters during active scanning

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval FileName=lower(mvindex(split(Image, "\\"), -1))
| eval ParentFileName=lower(mvindex(split(ParentImage, "\\"), -1))
| eval CommandLineLower=lower(CommandLine)
| eval ParentCommandLineLower=lower(ParentCommandLine)
`comment("--- Detection Branch 1: Office spawning script interpreters (macro execution) ---")`
| eval OfficeMacroSpawn=if(
    (ParentFileName IN ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "access.exe"))
    AND (FileName IN ("wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "regsvr32.exe", "rundll32.exe")),
    1, 0)
`comment("--- Detection Branch 2: Suspicious wscript/cscript arguments ---")`
| eval SuspiciousScriptInterp=if(
    (FileName IN ("wscript.exe", "cscript.exe"))
    AND (match(CommandLineLower, "(invoke-expression|iex\(|downloadstring|downloadfile|net\.webclient|createobject|shell\.application|shellexecute|wscript\.shell|http:\/\/|https:\/\/|certutil|bitsadmin)")
         OR match(CommandLine, "(?i)\.(vbs|vbe|js|jse|wsf|wsh|hta)")),
    1, 0)
`comment("--- Detection Branch 3: MSHTA running remote or inline scripts ---")`
| eval MshtaAbuse=if(
    FileName="mshta.exe"
    AND match(CommandLineLower, "(vbscript:|javascript:|http:\/\/|https:\/\/|\/\/|\\\\\\\\)"),
    1, 0)
`comment("--- Detection Branch 4: Cmd.exe with obfuscation spawned from Office or running LOLBin chains ---")`
| eval CmdBatchAbuse=if(
    FileName="cmd.exe"
    AND (
        (ParentFileName IN ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe"))
        OR (match(CommandLineLower, "(\^\^|&&|\|\|)") AND match(CommandLineLower, "(http|certutil|bitsadmin|powershell|wscript|cscript)"))
    ),
    1, 0)
| eval TotalScore=OfficeMacroSpawn + SuspiciousScriptInterp + MshtaAbuse + CmdBatchAbuse
| where TotalScore > 0
| eval DetectionTypes=mvappend(
    if(OfficeMacroSpawn=1, "OfficeMacroSpawn", null()),
    if(SuspiciousScriptInterp=1, "SuspiciousScriptInterp", null()),
    if(MshtaAbuse=1, "MshtaAbuse", null()),
    if(CmdBatchAbuse=1, "CmdBatchAbuse", null()))
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        OfficeMacroSpawn, SuspiciousScriptInterp, MshtaAbuse, CmdBatchAbuse, TotalScore, DetectionTypes
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software installers that use VBScript (wscript.exe) for install/uninstall automation, particularly older enterprise applications
IT administration scripts run via Group Policy or SCCM that use cscript.exe or wscript.exe for inventory or configuration tasks
Office add-ins and COM automation tools that legitimately spawn child processes from Word or Excel (e.g., mail-merge workflows, report generators)
Help desk and remote support tools (ConnectWise, TeamViewer) that may spawn cmd.exe or scripts from unusual parent processes
Security scanners and vulnerability assessment tools that invoke mshta.exe or script interpreters during active scanning

Elastic Security (EQL)

eql

process where event.type == "start" and (
  (
    /* Branch 1: Office macro spawning script interpreters */
    process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "access.exe", "visio.exe") and
    process.name : ("wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "regsvr32.exe", "rundll32.exe")
  ) or
  (
    /* Branch 2: wscript/cscript with suspicious arguments */
    process.name : ("wscript.exe", "cscript.exe") and
    process.command_line regex~ "(invoke-expression|iex\\(|downloadstring|downloadfile|net\\.webclient|createobject|shell\\.application|shellexecute|wscript\\.shell|http:\\/\\/|https:\\/\\/|certutil|bitsadmin|\\.(vbs|vbe|js|jse|wsf|wsh|hta)\\b)"
  ) or
  (
    /* Branch 3: MSHTA loading remote or inline scripts */
    process.name : "mshta.exe" and
    process.command_line regex~ "(vbscript:|javascript:|http:\\/\\/|https:\\/\\/|\\/\\/|\\\\\\\\)"
  ) or
  (
    /* Branch 4: Cmd.exe obfuscated or Office-spawned */
    process.name : "cmd.exe" and
    (
      process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "access.exe") or
      (
        process.command_line regex~ "(\\^\\^|&&|\\|\\|)" and
        process.command_line regex~ "(?i)(certutil|bitsadmin|powershell|wscript|cscript|http)"
      )
    )
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security (elastic-endpoint) Winlogbeat with Sysmon module Elastic Agent (Windows Integration)

Required Tables

logs-endpoint.events.process-* winlogbeat-* logs-windows.sysmon_operational-*

False Positives

Legitimate Office add-ins or macros used by finance or operations teams that invoke wscript.exe or cscript.exe for automated document processing, mail-merge, or report generation workflows
Enterprise software deployment tooling such as SCCM, PDQ Deploy, or Ansible that use cmd.exe with certutil for artifact hash verification during managed software installations
Internal .hta-based enterprise portals loaded via mshta.exe that reference local intranet addresses using http:// or vbscript: protocol handlers on legacy infrastructure

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS HostIP,
  username AS UserName,
  "ProcessName",
  "CommandLine",
  "ParentProcessName",
  "ParentCommandLine",
  CASE
    WHEN LOWER("ParentProcessName") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe','onenote.exe','access.exe','visio.exe')
         AND LOWER("ProcessName") IN ('wscript.exe','cscript.exe','mshta.exe','cmd.exe','powershell.exe','pwsh.exe','regsvr32.exe','rundll32.exe')
      THEN 'OfficeMacroSpawn'
    WHEN LOWER("ProcessName") IN ('wscript.exe','cscript.exe')
         AND (LOWER("CommandLine") LIKE '%invoke-expression%' OR LOWER("CommandLine") LIKE '%iex(%'
              OR LOWER("CommandLine") LIKE '%downloadstring%' OR LOWER("CommandLine") LIKE '%downloadfile%'
              OR LOWER("CommandLine") LIKE '%net.webclient%' OR LOWER("CommandLine") LIKE '%createobject%'
              OR LOWER("CommandLine") LIKE '%shell.application%' OR LOWER("CommandLine") LIKE '%shellexecute%'
              OR LOWER("CommandLine") LIKE '%wscript.shell%' OR LOWER("CommandLine") LIKE '%http://%'
              OR LOWER("CommandLine") LIKE '%https://%' OR LOWER("CommandLine") LIKE '%certutil%'
              OR LOWER("CommandLine") LIKE '%bitsadmin%' OR LOWER("CommandLine") LIKE '%.vbs%'
              OR LOWER("CommandLine") LIKE '%.js%' OR LOWER("CommandLine") LIKE '%.hta%')
      THEN 'SuspiciousScriptInterp'
    WHEN LOWER("ProcessName") = 'mshta.exe'
         AND (LOWER("CommandLine") LIKE '%vbscript:%' OR LOWER("CommandLine") LIKE '%javascript:%'
              OR LOWER("CommandLine") LIKE '%http://%' OR LOWER("CommandLine") LIKE '%https://%'
              OR LOWER("CommandLine") LIKE '%//%' OR LOWER("CommandLine") LIKE '%\\\\%')
      THEN 'MshtaAbuse'
    WHEN LOWER("ProcessName") = 'cmd.exe'
         AND (LOWER("ParentProcessName") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe','onenote.exe','access.exe')
              OR ((LOWER("CommandLine") LIKE '%^^%' OR LOWER("CommandLine") LIKE '%&&%' OR LOWER("CommandLine") LIKE '%||%')
                  AND (LOWER("CommandLine") LIKE '%certutil%' OR LOWER("CommandLine") LIKE '%bitsadmin%'
                       OR LOWER("CommandLine") LIKE '%powershell%' OR LOWER("CommandLine") LIKE '%wscript%'
                       OR LOWER("CommandLine") LIKE '%cscript%' OR LOWER("CommandLine") LIKE '%http%')))
      THEN 'CmdBatchAbuse'
    ELSE 'Unknown'
  END AS DetectionType
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Windows Security Event Log (Sysmon)')
  AND QIDNAME(qid) LIKE '%Process Create%'
  AND (
    (
      LOWER("ParentProcessName") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe','onenote.exe','access.exe','visio.exe')
      AND LOWER("ProcessName") IN ('wscript.exe','cscript.exe','mshta.exe','cmd.exe','powershell.exe','pwsh.exe','regsvr32.exe','rundll32.exe')
    ) OR (
      LOWER("ProcessName") IN ('wscript.exe','cscript.exe')
      AND (LOWER("CommandLine") LIKE '%invoke-expression%' OR LOWER("CommandLine") LIKE '%iex(%'
           OR LOWER("CommandLine") LIKE '%downloadstring%' OR LOWER("CommandLine") LIKE '%net.webclient%'
           OR LOWER("CommandLine") LIKE '%createobject%' OR LOWER("CommandLine") LIKE '%http://%'
           OR LOWER("CommandLine") LIKE '%https://%' OR LOWER("CommandLine") LIKE '%certutil%'
           OR LOWER("CommandLine") LIKE '%.vbs%' OR LOWER("CommandLine") LIKE '%.hta%')
    ) OR (
      LOWER("ProcessName") = 'mshta.exe'
      AND (LOWER("CommandLine") LIKE '%vbscript:%' OR LOWER("CommandLine") LIKE '%javascript:%'
           OR LOWER("CommandLine") LIKE '%http://%' OR LOWER("CommandLine") LIKE '%https://%')
    ) OR (
      LOWER("ProcessName") = 'cmd.exe'
      AND (LOWER("ParentProcessName") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe','onenote.exe','access.exe')
           OR ((LOWER("CommandLine") LIKE '%^^%' OR LOWER("CommandLine") LIKE '%&&%' OR LOWER("CommandLine") LIKE '%||%')
               AND (LOWER("CommandLine") LIKE '%certutil%' OR LOWER("CommandLine") LIKE '%bitsadmin%'
                    OR LOWER("CommandLine") LIKE '%powershell%' OR LOWER("CommandLine") LIKE '%wscript%'
                    OR LOWER("CommandLine") LIKE '%cscript%')))
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC

high severity high confidence

Data Sources

Microsoft Windows Security Event Log (via QRadar WinCollect or Universal DSM) Sysmon logs via Universal DSM with custom property extraction

Required Tables

events

False Positives

Legitimate Office automation macros used in finance or legal departments that call wscript.exe or cscript.exe to run VBScript-based reporting, data extraction, or workflow integration scripts
MSHTA-based internal enterprise portals that use vbscript: or javascript: protocol handlers for legacy HTML application functionality on corporate intranets
Obfuscated batch scripts used by CI/CD pipelines or build agents that chain certutil with HTTPS endpoints for artifact download and hash verification

Sumo Logic CSE

sql

(_sourceCategory=windows/sysmon OR _sourceCategory=windows/security OR _sourceCategory=WinEventLog)
| where EventCode = 1 OR EventID = 1
| parse regex field=Message "(?:Image|NewProcessName):\\s*(?<ProcessImage>[^\\r\\n]+)" nodrop
| parse regex field=Message "(?:ParentImage|ParentProcessName):\\s*(?<ParentImage>[^\\r\\n]+)" nodrop
| parse regex field=Message "(?:CommandLine|ProcessCommandLine):\\s*(?<CommandLine>[^\\r\\n]+)" nodrop
| parse regex field=Message "ParentCommandLine:\\s*(?<ParentCommandLine>[^\\r\\n]+)" nodrop
| parse regex field=Message "(?:User|SubjectUserName|AccountName):\\s*(?<UserName>[^\\r\\n]+)" nodrop
| eval ProcessName = toLowerCase(replace(ProcessImage, /^.*\\\\/, ""))
| eval ParentProcessName = toLowerCase(replace(ParentImage, /^.*\\\\/, ""))
| eval CommandLineLower = toLowerCase(CommandLine)
// Branch 1: Office macro spawning script interpreters
| eval OfficeMacroSpawn = if(
    (ParentProcessName in ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","onenote.exe","access.exe","visio.exe"))
    AND (ProcessName in ("wscript.exe","cscript.exe","mshta.exe","cmd.exe","powershell.exe","pwsh.exe","regsvr32.exe","rundll32.exe")),
    1, 0)
// Branch 2: Suspicious wscript/cscript arguments
| eval SuspiciousScriptInterp = if(
    (ProcessName in ("wscript.exe","cscript.exe"))
    AND (
      CommandLineLower matches ".*?(invoke-expression|iex\\(|downloadstring|downloadfile|net\\.webclient|createobject|shell\\.application|shellexecute|wscript\\.shell|http:\\/\\/|https:\\/\\/|certutil|bitsadmin).*"
      OR CommandLine matches "(?i).*\\.(vbs|vbe|js|jse|wsf|wsh|hta)\\b.*"
    ),
    1, 0)
// Branch 3: MSHTA abuse
| eval MshtaAbuse = if(
    ProcessName = "mshta.exe"
    AND CommandLineLower matches ".*?(vbscript:|javascript:|http:\\/\\/|https:\\/\\/|\\/\\/|\\\\\\\\).*",
    1, 0)
// Branch 4: Cmd.exe obfuscated or Office-spawned
| eval CmdBatchAbuse = if(
    ProcessName = "cmd.exe"
    AND (
      ParentProcessName in ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","onenote.exe","access.exe")
      OR (
        CommandLineLower matches ".*?(\\^\\^|&&|\\|\\|).*"
        AND CommandLineLower matches ".*?(certutil|bitsadmin|powershell|wscript|cscript|http).*"
      )
    ),
    1, 0)
| eval TotalScore = OfficeMacroSpawn + SuspiciousScriptInterp + MshtaAbuse + CmdBatchAbuse
| where TotalScore > 0
| eval DetectionType = concat(
    if(OfficeMacroSpawn=1, "OfficeMacroSpawn ", ""),
    if(SuspiciousScriptInterp=1, "SuspiciousScriptInterp ", ""),
    if(MshtaAbuse=1, "MshtaAbuse ", ""),
    if(CmdBatchAbuse=1, "CmdBatchAbuse", "")
  )
| fields _time, _sourceHost, UserName, ProcessImage, CommandLine, ParentImage, ParentCommandLine, OfficeMacroSpawn, SuspiciousScriptInterp, MshtaAbuse, CmdBatchAbuse, TotalScore, DetectionType
| sort by _time desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows with Sysmon) Sumo Logic Cloud SIEM (normalized Windows process events)

Required Tables

windows/sysmon windows/security WinEventLog

False Positives

Office-integrated automation tools such as Bloomberg Terminal add-ins, SAP GUI scripting, or custom VBA macros that legitimately invoke cscript.exe or wscript.exe for data export or workflow automation
Enterprise IT management scripts distributed via Group Policy or SCCM that use cmd.exe with certutil to verify file checksums during controlled software deployments
Legacy web-based enterprise applications wrapped as .hta files loaded by mshta.exe that reference corporate intranet URLs or use javascript: protocol handlers for navigation

Google Chronicle / SecOps

yaral

rule t1064_scripting_detection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1064 scripting abuse: Office macro child process spawns, suspicious wscript/cscript arguments, MSHTA remote execution, and obfuscated cmd.exe batch chains"
    severity = "HIGH"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1064"
    reference = "https://attack.mitre.org/techniques/T1064/"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        // Branch 1: Office application spawning script interpreters (macro execution)
        re.regex($e.principal.process.file.full_path, `(?i)(winword|excel|powerpnt|outlook|onenote|access|visio)\.exe$`) and
        re.regex($e.target.process.file.full_path, `(?i)(wscript|cscript|mshta|cmd|powershell|pwsh|regsvr32|rundll32)\.exe$`)
      ) or
      (
        // Branch 2: wscript/cscript with suspicious download or COM object arguments
        re.regex($e.target.process.file.full_path, `(?i)(wscript|cscript)\.exe$`) and
        (
          re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\(|downloadstring|downloadfile|net\.webclient|createobject|shell\.application|shellexecute|wscript\.shell|http:\/\/|https:\/\/|certutil|bitsadmin)`) or
          re.regex($e.target.process.command_line, `(?i)\.(vbs|vbe|js|jse|wsf|wsh|hta)\b`)
        )
      ) or
      (
        // Branch 3: MSHTA loading remote or inline scripts
        re.regex($e.target.process.file.full_path, `(?i)mshta\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(vbscript:|javascript:|http:\/\/|https:\/\/|\/\/|\\\\)`)
      ) or
      (
        // Branch 4: Cmd.exe with obfuscation patterns or spawned from Office
        re.regex($e.target.process.file.full_path, `(?i)cmd\.exe$`) and
        (
          re.regex($e.principal.process.file.full_path, `(?i)(winword|excel|powerpnt|outlook|onenote|access)\.exe$`) or
          (
            re.regex($e.target.process.command_line, `(\^\^|&&|\|\|)`) and
            re.regex($e.target.process.command_line, `(?i)(certutil|bitsadmin|powershell|wscript|cscript|http)`)
          )
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Windows endpoint telemetry ingested via Chronicle Forwarder Sysmon events normalized to UDM via Chronicle parsers

Required Tables

UDM Events (metadata.event_type = PROCESS_LAUNCH)

False Positives

Legitimate enterprise macros in Excel or Word that call wscript.exe or cscript.exe for automated document processing, ETL integration, or scheduled reporting tasks in finance or operations environments
IT asset management or endpoint management tools that spawn cmd.exe from Office applications to collect system inventory or push configuration changes via scripted automation
Custom HTA-based internal portals loaded via mshta.exe that reference local intranet URLs matching http:// or https:// patterns or use javascript: navigation handlers

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ParentBaseFileName = /(?i)^(winword|excel|powerpnt|outlook|onenote|access|visio)\.exe$/
  OR (
    FileName = /(?i)^(wscript|cscript)\.exe$/
    AND CommandLine = /(?i)(invoke-expression|iex\(|downloadstring|downloadfile|net\.webclient|createobject|shell\.application|shellexecute|wscript\.shell|http:\/\/|https:\/\/|certutil|bitsadmin|\.(?:vbs|vbe|js|jse|wsf|wsh|hta)\b)/
  )
  OR (
    FileName = /(?i)^mshta\.exe$/
    AND CommandLine = /(?i)(vbscript:|javascript:|http:\/\/|https:\/\/|\/\/|\\\\)/
  )
  OR (
    FileName = /(?i)^cmd\.exe$/
    AND (
      ParentBaseFileName = /(?i)^(winword|excel|powerpnt|outlook|onenote|access)\.exe$/
      OR (
        CommandLine = /(\^\^|&&|\|\|)/
        AND CommandLine = /(?i)(certutil|bitsadmin|powershell|wscript|cscript|http)/
      )
    )
  )
| case {
    ParentBaseFileName = /(?i)^(winword|excel|powerpnt|outlook|onenote|access|visio)\.exe$/
    AND FileName = /(?i)^(wscript|cscript|mshta|cmd|powershell|pwsh|regsvr32|rundll32)\.exe$/ |
      DetectionType := "OfficeMacroSpawn";
    FileName = /(?i)^(wscript|cscript)\.exe$/
    AND CommandLine = /(?i)(invoke-expression|downloadstring|net\.webclient|http:\/\/|https:\/\/|createobject|certutil|bitsadmin)/ |
      DetectionType := "SuspiciousScriptInterp";
    FileName = /(?i)^mshta\.exe$/ |
      DetectionType := "MshtaAbuse";
    FileName = /(?i)^cmd\.exe$/ |
      DetectionType := "CmdBatchAbuse";
    * | DetectionType := "Unknown"
  }
| table([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionType])
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (EDR) Falcon ProcessRollup2 telemetry via Falcon Data Replicator or LogScale ingestion

Required Tables

ProcessRollup2

False Positives

Office-integrated automation workflows in financial or legal environments where Excel macros call cscript.exe to execute VBScript-based reporting, data transformation, or Lotus Notes integration scripts
Managed service provider tooling that wraps cmd.exe execution with certutil for SHA256 hash verification during endpoint software installation and patching workflows
Internal HTML applications (.hta files) served on corporate intranet that mshta.exe loads via http:// or https:// addresses as legacy enterprise web portals or configuration dashboards

Last updated: 2026-04-16 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1064 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Scripting

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections