Active 2024-08-05

ScriptHostTest

Windows Script Host testing framework for validating script execution defenses and detection capabilities.

wsh wscript cscript windows detection-testing
View on GitHub
Quickstart
Get started instantly
git clone https://github.com/MHaggis/notes.git && cd notes/utilities/ScriptHostTest && .\Run-Tests.ps1

The Problem

Windows Script Host (WSH) is frequently abused by malware and attackers, but defenders struggle to test their detection capabilities against various WSH execution methods. There's no comprehensive framework for validating WSH-based defenses.

The Solution

ScriptHostTest provides a complete testing framework for Windows Script Host execution, covering VBScript, JScript, WSF files, and various execution methods. It helps defenders validate their detection rules and security controls against real-world WSH abuse.

Impact

Enables security teams to comprehensively test their defenses against WSH-based attacks, ensuring detection coverage for this commonly abused Windows feature. Used by detection engineers to validate and improve their rules.

Test Coverage

Script Types

  • VBScript (.vbs) - Visual Basic Scripting
  • JScript (.js) - JavaScript for Windows
  • WSF (.wsf) - Windows Script Files
  • HTA (.hta) - HTML Applications

Execution Methods

  • wscript.exe - GUI script host
  • cscript.exe - Console script host
  • mshta.exe - HTA execution
  • Indirect execution - Via COM objects

Attack Techniques

  • Command execution
  • File operations
  • Registry manipulation
  • Network connections
  • Process creation
  • WMI abuse

Features

Comprehensive Test Suite

  • 50+ test scenarios
  • MITRE ATT&CK mapped
  • Configurable execution
  • Safe test mode

Detection Validation

  • Sysmon event generation
  • EDR telemetry testing
  • Script block logging
  • AMSI trigger validation

Automated Reporting

  • Test execution results
  • Detection coverage gaps
  • Telemetry analysis
  • Recommendations

Test Scenarios

T1059.005 - Visual Basic

' Command execution via WScript.Shell
Set objShell = CreateObject("WScript.Shell")
objShell.Run "cmd.exe /c whoami"

T1059.007 - JavaScript

// WMI process creation
var wmi = GetObject("winmgmts:");
var proc = wmi.Get("Win32_Process");
proc.Create("notepad.exe");

File Operations

  • File creation and modification
  • Alternate data streams
  • Hidden file attributes

Network Activity

  • HTTP requests
  • DNS queries
  • File downloads

Use Cases

Detection Engineering

Validate detection rules for WSH abuse.

Red Team Testing

Generate realistic WSH-based attack traffic.

Blue Team Training

Understand WSH attack patterns and telemetry.

Security Control Validation

Test AppLocker, WDAC, and ASR rules.

Detection Opportunities

The framework helps identify:

  • Script execution events
  • Suspicious parent-child relationships
  • Network connections from scripts
  • Registry and file modifications
  • Command-line patterns

Safe Testing

All tests can run in:

  • Audit mode - No actual execution
  • Isolated environment - Sandboxed execution
  • Controlled execution - Step-by-step validation

Test your WSH defenses

Get Started Report Issue

Related Modules

Active

ASRGEN

ASR Configurator, Essentials and Atomic Testing. Configure and test Attack Surface Reduction rules.

asr defender windows hardening +2
View Module → GitHub
Active

LOLDrivers

Living Off The Land Drivers - A curated list of Windows drivers used by adversaries to bypass security controls. The definitive resource for vulnerable driver detection.

drivers byovd detection windows +2
View Module → GitHub