KQL Search

Query Details

HomeAI ToolsDevice Query

W Script C Script Executing Java Script From User Profile

Query

# *WScript/CScript Executing JavaScript from User Profile*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1059.007 | Command and Scripting Interpreter: JavaScript | https://attack.mitre.org/tactics/TA1059/007/ |
| T1204.002 | User Execution: Malicious File | https://attack.mitre.org/tactics/TA1204/002/ |

#### Description
RedCanary recommends to create a Policy wich opens js files in Notepad (https://redcanary.com/blog/threat-intelligence/notepad-javascript/) to prevent the execution of malicious payloads.
This Query detects instances where 'wscript.exe' or 'cscript.exe' are initiated by 'openwith.exe' or 'explorer.exe' and execute a JavaScript file (.js) located within a user's profile directory. This behavior can indicate an attempt to execute malicious scripts, often delivered via user interaction (e.g., opening a malicious file).

#### Risk
Executing malicious Javascript Code

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://redcanary.com/blog/threat-intelligence/notepad-javascript/

## Defender XDR
```KQL
DeviceProcessEvents
| where InitiatingProcessFileName in ("openwith.exe", "explorer.exe")
| where FileName in ('wscript.exe','cscript.exe')
| where ProcessCommandLine contains @"c:\Users\" and ProcessCommandLine contains ".js"
```

Explanation

This query is designed to detect potentially malicious activity on a computer system. Specifically, it looks for instances where JavaScript files (.js) are being executed using Windows Script Host programs (wscript.exe or cscript.exe) from within a user's profile directory. This execution is initiated by common Windows processes (openwith.exe or explorer.exe), which could indicate that a user has unknowingly triggered the execution of a malicious script, possibly by opening a malicious file.

The query is part of a security measure to identify and prevent the execution of harmful JavaScript code that could compromise the system. It aligns with certain MITRE ATT&CK techniques that describe how adversaries might use scripting and user execution to carry out attacks. The recommendation is to configure systems to open JavaScript files in Notepad instead of executing them, as a preventive measure against such threats.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 9, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsUserJavaScript

Operators

DeviceProcessEventswhereincontains

Actions