T1064 IBM QRadar · QRadar

Detect Scripting in IBM QRadar

Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. This deprecated technique (now superseded by T1059 Command and Scripting Interpreter) covered adversary use of scripting languages including VBScript, JavaScript, Windows Script Host, batch scripts, and macro-enabled Office documents. Scripts can be used to speed up operations, bypass process monitoring by interacting with the OS at an API level, and enable execution via spearphishing attachments containing malicious macros. Common attack patterns include VBScript/JScript execution via wscript.exe or cscript.exe, malicious Office macros spawning child processes, and batch scripts performing reconnaissance or lateral movement.

MITRE ATT&CK

Tactic
Defense Evasion Execution
Canonical reference
https://attack.mitre.org/techniques/T1064/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS HostIP,
  username AS UserName,
  "ProcessName",
  "CommandLine",
  "ParentProcessName",
  "ParentCommandLine",
  CASE
    WHEN LOWER("ParentProcessName") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe','onenote.exe','access.exe','visio.exe')
         AND LOWER("ProcessName") IN ('wscript.exe','cscript.exe','mshta.exe','cmd.exe','powershell.exe','pwsh.exe','regsvr32.exe','rundll32.exe')
      THEN 'OfficeMacroSpawn'
    WHEN LOWER("ProcessName") IN ('wscript.exe','cscript.exe')
         AND (LOWER("CommandLine") LIKE '%invoke-expression%' OR LOWER("CommandLine") LIKE '%iex(%'
              OR LOWER("CommandLine") LIKE '%downloadstring%' OR LOWER("CommandLine") LIKE '%downloadfile%'
              OR LOWER("CommandLine") LIKE '%net.webclient%' OR LOWER("CommandLine") LIKE '%createobject%'
              OR LOWER("CommandLine") LIKE '%shell.application%' OR LOWER("CommandLine") LIKE '%shellexecute%'
              OR LOWER("CommandLine") LIKE '%wscript.shell%' OR LOWER("CommandLine") LIKE '%http://%'
              OR LOWER("CommandLine") LIKE '%https://%' OR LOWER("CommandLine") LIKE '%certutil%'
              OR LOWER("CommandLine") LIKE '%bitsadmin%' OR LOWER("CommandLine") LIKE '%.vbs%'
              OR LOWER("CommandLine") LIKE '%.js%' OR LOWER("CommandLine") LIKE '%.hta%')
      THEN 'SuspiciousScriptInterp'
    WHEN LOWER("ProcessName") = 'mshta.exe'
         AND (LOWER("CommandLine") LIKE '%vbscript:%' OR LOWER("CommandLine") LIKE '%javascript:%'
              OR LOWER("CommandLine") LIKE '%http://%' OR LOWER("CommandLine") LIKE '%https://%'
              OR LOWER("CommandLine") LIKE '%//%' OR LOWER("CommandLine") LIKE '%\\\\%')
      THEN 'MshtaAbuse'
    WHEN LOWER("ProcessName") = 'cmd.exe'
         AND (LOWER("ParentProcessName") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe','onenote.exe','access.exe')
              OR ((LOWER("CommandLine") LIKE '%^^%' OR LOWER("CommandLine") LIKE '%&&%' OR LOWER("CommandLine") LIKE '%||%')
                  AND (LOWER("CommandLine") LIKE '%certutil%' OR LOWER("CommandLine") LIKE '%bitsadmin%'
                       OR LOWER("CommandLine") LIKE '%powershell%' OR LOWER("CommandLine") LIKE '%wscript%'
                       OR LOWER("CommandLine") LIKE '%cscript%' OR LOWER("CommandLine") LIKE '%http%')))
      THEN 'CmdBatchAbuse'
    ELSE 'Unknown'
  END AS DetectionType
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Windows Security Event Log (Sysmon)')
  AND QIDNAME(qid) LIKE '%Process Create%'
  AND (
    (
      LOWER("ParentProcessName") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe','onenote.exe','access.exe','visio.exe')
      AND LOWER("ProcessName") IN ('wscript.exe','cscript.exe','mshta.exe','cmd.exe','powershell.exe','pwsh.exe','regsvr32.exe','rundll32.exe')
    ) OR (
      LOWER("ProcessName") IN ('wscript.exe','cscript.exe')
      AND (LOWER("CommandLine") LIKE '%invoke-expression%' OR LOWER("CommandLine") LIKE '%iex(%'
           OR LOWER("CommandLine") LIKE '%downloadstring%' OR LOWER("CommandLine") LIKE '%net.webclient%'
           OR LOWER("CommandLine") LIKE '%createobject%' OR LOWER("CommandLine") LIKE '%http://%'
           OR LOWER("CommandLine") LIKE '%https://%' OR LOWER("CommandLine") LIKE '%certutil%'
           OR LOWER("CommandLine") LIKE '%.vbs%' OR LOWER("CommandLine") LIKE '%.hta%')
    ) OR (
      LOWER("ProcessName") = 'mshta.exe'
      AND (LOWER("CommandLine") LIKE '%vbscript:%' OR LOWER("CommandLine") LIKE '%javascript:%'
           OR LOWER("CommandLine") LIKE '%http://%' OR LOWER("CommandLine") LIKE '%https://%')
    ) OR (
      LOWER("ProcessName") = 'cmd.exe'
      AND (LOWER("ParentProcessName") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe','onenote.exe','access.exe')
           OR ((LOWER("CommandLine") LIKE '%^^%' OR LOWER("CommandLine") LIKE '%&&%' OR LOWER("CommandLine") LIKE '%||%')
               AND (LOWER("CommandLine") LIKE '%certutil%' OR LOWER("CommandLine") LIKE '%bitsadmin%'
                    OR LOWER("CommandLine") LIKE '%powershell%' OR LOWER("CommandLine") LIKE '%wscript%'
                    OR LOWER("CommandLine") LIKE '%cscript%')))
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
high severity high confidence

Detects T1064 scripting abuse in IBM QRadar using process creation events from Windows Security Event Log or Sysmon (mapped via Universal DSM). Custom event properties ProcessName, CommandLine, ParentProcessName, and ParentCommandLine must be configured as QRadar custom properties extracted from Sysmon EventCode 1 or Security EventID 4688 with command-line auditing enabled. Classifies detections across four categories: OfficeMacroSpawn, SuspiciousScriptInterp, MshtaAbuse, and CmdBatchAbuse.

Data Sources

Microsoft Windows Security Event Log (via QRadar WinCollect or Universal DSM)Sysmon logs via Universal DSM with custom property extraction

Required Tables

events

False Positives & Tuning

  • Legitimate Office automation macros used in finance or legal departments that call wscript.exe or cscript.exe to run VBScript-based reporting, data extraction, or workflow integration scripts
  • MSHTA-based internal enterprise portals that use vbscript: or javascript: protocol handlers for legacy HTML application functionality on corporate intranets
  • Obfuscated batch scripts used by CI/CD pipelines or build agents that chain certutil with HTTPS endpoints for artifact download and hash verification
Download portable Sigma rule (.yml)

Other platforms for T1064

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VBScript Download Cradle via wscript.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=wscript.exe, CommandLine referencing df00tech_test.vbs. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080 from wscript.exe (connection will fail). Sysmon Event ID 11: File creation of df00tech_test.vbs in %TEMP%.

  2. Test 2JScript Execution via cscript.exe with Shell Command

    Expected signal: Sysmon Event ID 1: Process Create for cscript.exe with CommandLine referencing df00tech_shell.js. Sysmon Event ID 1 (child): cmd.exe spawned by cscript.exe with 'whoami' command. Sysmon Event ID 11: Output file creation in %TEMP%.

  3. Test 3MSHTA Remote HTA Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image=mshta.exe, CommandLine='mshta.exe http://127.0.0.1:8080/df00tech_test.hta'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080 (will fail — no listener). The process creation event fires regardless of connection success.

  4. Test 4Simulated Office Macro Child Process (cmd.exe spawned from Word context)

    Expected signal: Sysmon Event ID 1: powershell.exe process create followed by cmd.exe child process. Security Event ID 4688 (if command line auditing enabled) for both processes. To fully test the OfficeMacroSpawn detection branch, the test would need to originate from a running winword.exe process — this simulation exercises the cmd.exe execution and output paths.

  5. Test 5VBScript Inline Execution via mshta vbscript: Protocol

    Expected signal: Sysmon Event ID 1: Process Create with Image=mshta.exe, CommandLine containing 'vbscript:Execute'. A dialog box will appear briefly — dismiss it. No network connections or file writes are expected for this test variant.

Last updated: 2026-04-16 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1064 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1059Command and Scripting InterpreterT1059.001PowerShellT1059.003Windows Command ShellT1059.005Visual BasicT1059.007JavaScriptT1566.001Spearphishing AttachmentT1204.002Malicious FileT1203Exploitation for Client ExecutionT1218.005MshtaT1105Ingress Tool TransferT1027Obfuscated Files or InformationT1547.001Registry Run Keys / Startup FolderT1053.005Scheduled Task

Same Tactic: Defense Evasion

Popular Detections