cscript.exe

cscript.exe is one of the two front-ends to the Windows Script Host (WSH), the built-in engine that runs scripts written in VBScript and JScript. cscript.exe is the console host: it sends WScript.Echo output to standard out, takes input from the command line, and is the natural choice when a script runs inside a batch file, a scheduled task, or another program. Its windowed twin, wscript.exe, shows the same output in pop-up dialogs. The genuine binary lives at C:\Windows\System32\cscript.exe, with a 32-bit copy under SysWOW64.

The scripting language is chosen by the file extension or the /e: switch, and the host hands scripts the same COM objects as wscript.exe, WScript.Shell, WScript.Network, Scripting.FileSystemObject, and others, which let them run programs, edit the registry, and reach the file system. The difference between the two hosts is only where output goes, not what a script can do.

Legitimately, cscript.exe is started by the Task Scheduler, by logon or Group Policy scripts, by software installers, or by an administrator running a script by hand. It is more common than wscript.exe in server and automation contexts. Its parent and the script named on its command line are what give an instance meaning.

cscript.exe runs attacker script just as readily as it runs admin script (T1059.005, T1059.007). Because it is signed and built in, a malicious .vbs or .js executes with the user's privileges and passes path and signature checks, leaving the script it runs and its parent as what to examine. Attackers favor the console host when execution is meant to be silent and non-interactive, driven from a batch file or another process rather than a double-click.

As with wscript.exe, the script is often only a stager. COM objects like MSXML2.XMLHTTP and WScript.Shell.Run let a short script pull down and launch the next payload (T1105), so cscript reaching the network or spawning powershell.exe or cmd.exe is the behavior to run down.