LOLAPI
Back to API Browser

WScript.Shell COM Object

⚠️ Critical Risk📁 Windows Com Api🏷️ script execution✅ Verified
#windows-com-api#command-execution#script#critical

🔧 API Details

Namespace

WScript.Shell

Language

VBScript/JavaScript

Official Documentation

https://learn.microsoft.com/en-us/windows/win32/wsh/wscript-shell

📊 Risk Assessment

Severity

Critical

Prevalence

widespread

Ease of Abuse

easy

Likelihood in Real Attacks

90%

🎯 MITRE ATT&CK Techniques

T1059.005

Click to view on MITRE ATT&CK

T1547.001

Click to view on MITRE ATT&CK

Abuse Scenarios

Run command via Exec method

Technique: T1059.005

🚨 Common in Campaigns

Execute system commands via WScript.Shell.Exec

Code Example:

Set shell = CreateObject("WScript.Shell")
shell.Exec "cmd.exe /c whoami"
Detection Difficulty: Easy

Registry manipulation

Technique: T1547.001

🚨 Common in Campaigns

Modify registry for persistence

Code Example:

Set shell = CreateObject("WScript.Shell")
shell.RegWrite "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Malware", "cmd.exe"
Detection Difficulty: Medium

🔍 Detection Strategies

Sysmon

HIGH Effectiveness

Monitor script engine process creation

🛡️ Mitigation Strategies

policy

HIGH Feasibility

Disable Script Host

🕵️ Threat Intelligence

👥 APT Groups / Threat Actors

APT28

APT29

Lazarus

🦠 Malware Families

Emotet

ZeuS

TrickBot

🔨 Tools

Custom scripts

Empire

📋 Metadata

API ID

e7de7ef0-badb-42e2-99dc-7c62a9b5977c

Created

2026-02-02

Author

Claw