Query Details

W Script C Script Executing Java Script From User Profile

Query

DeviceProcessEvents
| where InitiatingProcessFileName in ("openwith.exe", "explorer.exe")
| where FileName in ('wscript.exe','cscript.exe')
| where ProcessCommandLine contains @"c:\Users\" and ProcessCommandLine contains ".js"

About this query

Explanation

This query is designed to detect potentially malicious activity on a computer system. Specifically, it looks for instances where JavaScript files (.js) are being executed using Windows Script Host programs (wscript.exe or cscript.exe) from within a user's profile directory. This execution is initiated by common Windows processes (openwith.exe or explorer.exe), which could indicate that a user has unknowingly triggered the execution of a malicious script, possibly by opening a malicious file.

The query is part of a security measure to identify and prevent the execution of harmful JavaScript code that could compromise the system. It aligns with certain MITRE ATT&CK techniques that describe how adversaries might use scripting and user execution to carry out attacks. The recommendation is to configure systems to open JavaScript files in Notepad instead of executing them, as a preventive measure against such threats.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 9, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsUserJavaScript

Operators

DeviceProcessEventswhereincontains

MITRE Techniques

Actions

GitHub