Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0733: Analytic 0733

Detects JavaScript execution through WSH (wscript.exe, cscript.exe) or HTA (mshta.exe), particularly when spawned from Office macros, web browsers, or abnormal user paths. Correlates script execution with outbound network activity or system modification.

EnterpriseAN0733AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because JavaScript launched through Windows scripting hosts or HTA execution can turn ordinary user activity into a security-relevant event, especially when it appears after Office, browser, or unusual user-path activity and is followed by network connections or system changes. For leaders, the value is not just spotting a process name; it is validating whether endpoint and network telemetry can connect suspicious script execution to possible follow-on behavior quickly enough for SOC triage and incident response decisions.

Executive priority

Prioritize this as a Windows endpoint detection validation item where Office documents, browsers, and user-writable paths are common business workflows. The executive question is whether the organization can prove, with evidence, when wscript.exe, cscript.exe, or mshta.exe activity is expected versus abnormal, and whether SOC teams can correlate that execution with outbound network activity or system modification. This supports incident readiness, audit evidence for monitoring controls, and practical prioritization of script execution hardening without assuming every scripting event is malicious.

Technical view

For SOC and detection engineering teams, validate telemetry for Windows process creation involving wscript.exe, cscript.exe, and mshta.exe, with parent-process context for Office applications, web browsers, and executions from abnormal user paths. The supplied analytic description emphasizes correlation: script execution should be reviewed alongside outbound network activity and system modification. Because no official detection logic, tactic mapping, or relationship context is supplied, local baselining is required to separate legitimate administrative or business scripting from abnormal chains.

Likely telemetry

  • Windows process creation events for wscript.exe, cscript.exe, and mshta.exe
  • Parent-child process context, especially Office applications and web browsers spawning script hosts
  • Command-line and execution path metadata, with attention to abnormal user paths
  • Outbound network connection telemetry associated with the script-host process or near-time process tree
  • Endpoint file, registry, or other system modification telemetry correlated to the script execution

Detection direction

  • Confirm that endpoint logging captures process name, parent process, command line, path, user, and host for Windows script-host activity.
  • Tune for suspicious parentage such as Office macros or browsers launching wscript.exe, cscript.exe, or mshta.exe, while accounting for legitimate enterprise automation.
  • Add correlation logic that links script execution to outbound network activity or system modification rather than relying only on process-name matching.
  • Baseline normal scripting activity by department, endpoint role, and administrative tooling to reduce false positives.
  • Review blind spots where command-line capture, parent-process lineage, network attribution, or endpoint modification events are missing or delayed.

Mitigation priorities

  • Inventory legitimate uses of Windows scripting hosts and HTA execution across the environment before applying broad restrictions.
  • Reduce unnecessary script-host execution from user-writable or abnormal paths where business need is not established.
  • Harden Office macro and browser-to-script execution pathways using existing enterprise control policies where appropriate.
  • Ensure endpoint, network, and system modification telemetry are retained and correlated for incident response timelines.
  • Create SOC playbooks for triaging script-host execution that include parent process, user context, network activity, and system changes.
Analyst notes and limits

This take is based on the supplied MITRE analytic description for AN0733. The object is a detection analytic for Windows focused on JavaScript execution through WSH or HTA, especially when spawned by Office macros, browsers, or abnormal user paths and correlated with outbound network or system modification activity. No official detection query, tactic assignment, aliases, labels, or relationship context was provided.

The source fields do not provide exact detection logic, data source mappings, tactic/technique relationships, false-positive examples, or mitigation text. Coverage and severity must therefore be validated against the local Windows environment, telemetry quality, and known legitimate scripting workflows.

Official MITRE ATT&CK definition

Analytic 0733

Detects JavaScript execution through WSH (wscript.exe, cscript.exe) or HTA (mshta.exe), particularly when spawned from Office macros, web browsers, or abnormal user paths. Correlates script execution with outbound network activity or system modification.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8696e2aa4f87744c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8696e2aa4f87…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0733
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use