```yaml title: Script Host Piping Output to Temporary Files id: edr-win-exec-script-to-tmp-pipe status: stable description: > Detects script hosts (wscript, cscript) spawning processes that pipe output to .tmp files, a common IAB staging pattern. Observed in SocGholish FakeUpdates intrusions where nearly all enumeration commands from Update.js-spawned processes forwarded output via (>>) to %AppData%\Temp\*.tmp files. references: - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software author: ShroudCloud date: 2026/04/16 tags: - attack.execution - attack.defense_evasion - attack.t1059.001 - attack.t1059.003 logsource: category: process_creation product: windows detection: selection: ParentImage|endswith: - '\wscript.exe' - '\cscript.exe' Image|endswith: - '\cmd.exe' - '\powershell.exe' - '\powershell_ise.exe' - '\pwsh.exe' CommandLine|contains|all: - '>>' - '.tmp' condition: selection falsepositives: - Legitimate scripts redirecting log output to temp files level: medium ```