W Script C Script Executing Java Script From User Profile
Query
DeviceProcessEvents
| where InitiatingProcessFileName in ("openwith.exe", "explorer.exe")
| where FileName in ('wscript.exe','cscript.exe')
| where ProcessCommandLine contains @"c:\Users\" and ProcessCommandLine contains ".js"About this query
Explanation
This query is designed to detect potentially malicious activity on a computer system. Specifically, it looks for instances where JavaScript files (.js) are being executed using Windows Script Host programs (wscript.exe or cscript.exe) from within a user's profile directory. This execution is initiated by common Windows processes (openwith.exe or explorer.exe), which could indicate that a user has unknowingly triggered the execution of a malicious script, possibly by opening a malicious file.
The query is part of a security measure to identify and prevent the execution of harmful JavaScript code that could compromise the system. It aligns with certain MITRE ATT&CK techniques that describe how adversaries might use scripting and user execution to carry out attacks. The recommendation is to configure systems to open JavaScript files in Notepad instead of executing them, as a preventive measure against such threats.
