title: Scripting (T1064)
id: df00tech-t1064
status: experimental
description: "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. This deprecated technique (now superseded by T1059 Command and Scripting Interpreter) covered adversary use of scripting languages including VBScript, JavaScript, Windows Script Host, batch scripts, and macro-enabled Office documents. Scripts can be used to speed up operations, bypass process monitoring by interacting with the OS at an API level, and enable execution via spearphishing attachments containing malicious macros. Common attack patterns include VBScript/JScript execution via wscript.exe or cscript.exe, malicious Office macros spawning child processes, and batch scripts performing reconnaissance or lateral movement."
references:
  - https://attack.mitre.org/techniques/T1064/
  - https://df00tech.com/detections/T1064
author: df00tech
date: 2026/04/16
tags:
  - attack.t1064
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate software installers that use VBScript (wscript.exe) for install/uninstall automation, particularly older enterprise applications"
  - IT administration scripts run via Group Policy or SCCM that use cscript.exe or wscript.exe for inventory or configuration tasks
  - "Office add-ins and COM automation tools that legitimately spawn child processes from Word or Excel (e.g., mail-merge workflows, report generators)"
  - "Help desk and remote support tools (ConnectWise, TeamViewer) that may spawn cmd.exe or scripts from unusual parent processes"
  - Security scanners and vulnerability assessment tools that invoke mshta.exe or script interpreters during active scanning
level: high