Cscript.exe Download |verified| Jun 2026

There are two versions of Windows Script Host:

title: Suspicious Cscript.exe Download Pattern id: 8f4b3a2c-1e5d-4b7a-9c2e-6f8a1b3d5e7f status: experimental description: Detects cscript.exe executing a script that makes a network request to download a file, often used in malware staging or LOLBins. references: - https://lolbas-project.github.io/lolbas/Binaries/Cscript/ - https://redcanary.com/blog/threat-detection/cscript-exe-download/ author: Your Name date: 2024-01-01 tags: - attack.t1059.005 - attack.command_and_control - attack.t1105 logsource: category: process_creation product: windows service: # optional, e.g., Sysmon Event ID 1 or Windows Security 4688 detection: selection: Image|endswith: '\cscript.exe' CommandLine|contains: - '.DownloadFile(' # DownloadFile method - 'MSXML2.ServerXMLHTTP' # XMLHTTP object - 'WinHttp.WinHttpRequest' - '.SaveToFile(' - '.open("GET",' # HTTP GET request - 'http://' - 'https://' condition: selection falsepositives: - Legitimate admin scripts that download updates or configuration files. - Software deployment tools using cscript for HTTP fetches. level: medium cscript.exe download

(Console Script) is a legitimate, digitally signed Microsoft Windows executable file. It is a command-line version of the Windows Script Host (WSH). In simple terms, it allows you to run scripts written in VBScript ( .vbs ) or JScript ( .js ) directly in the Command Prompt (CMD) or PowerShell, rather than clicking on them. There are two versions of Windows Script Host: