detection.wiki

Command and Scripting Interpreter T1059

Tactic: Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

Events covered

76 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 5Process terminated
SysmonEvent ID 7Image loaded
SysmonEvent ID 8CreateRemoteThread
SysmonEvent ID 10ProcessAccess
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
SysmonEvent ID 17PipeEvent (Pipe Created)
SysmonEvent ID 18PipeEvent (Pipe Connected)
SysmonEvent ID 19WmiEvent (WmiEventFilter activity detected)
SysmonEvent ID 20WmiEvent (WmiEventConsumer activity detected)
SysmonEvent ID 21WmiEvent (WmiEventConsumerToFilter activity detected)
SysmonEvent ID 22DNSEvent (DNS query)
SysmonEvent ID 23FileDelete (File Delete archived)
SysmonEvent ID 26FileDeleteDetected (File Delete logged)
Security-AuditingEvent ID 4624An account was successfully logged on.
Security-AuditingEvent ID 4625An account failed to log on.
Security-AuditingEvent ID 4656A handle to an object was requested.
Security-AuditingEvent ID 4657A registry value was modified.
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4689A process has exited.
Security-AuditingEvent ID 4697A service was installed in the system.
Security-AuditingEvent ID 4698A scheduled task was created.
Security-AuditingEvent ID 4776The domain controller attempted to validate the credentials for an account.
Security-AuditingEvent ID 4799A security-enabled local group membership was enumerated.
Security-AuditingEvent ID 5140A network share object was accessed.
Security-AuditingEvent ID 5145A network share object was checked to see whether client can be granted desired access.
Security-AuditingEvent ID 5156The Windows Filtering Platform has permitted a connection.
Defender-DeviceEventsanyDefender event (any)
Defender-DeviceEventsPowerShellCommandPowerShell command executed
Defender-DeviceEventsAmsiScriptContentAMSI script content captured
Defender-DeviceEventsClrUnbackedModuleLoadedCLR unbacked module loaded
Defender-DeviceFileEventsanyFile activity (any)
Defender-DeviceImageLoadEventsanyImage load (any)
Defender-DeviceImageLoadEventsImageLoadedImage loaded
Defender-DeviceNetworkEventsConnectionSuccessConnection succeeded
Defender-DeviceProcessEventsanyProcess activity (any)
ESFexecProcess Execution (Notify)
ESFcreateFile or Directory Create (NOTIFY)
ESFwriteFile Write (NOTIFY)
Linux-AuditdEvent ID 1302PATH
Linux-AuditdEvent ID 1309EXECVE
MSSQLSERVEREvent ID 8128Event ID 8128
AppLockerEvent ID 8004FilePathBuffer was prevented from running.
AppLockerEvent ID 8007FilePathBuffer was prevented from running.
AppLockerEvent ID 8022PackageBuffer was prevented from running.
AppLockerEvent ID 8025PackageBuffer was prevented from running.
DotNETRuntimeEvent ID 152ModuleID=ModuleID.
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
Windows-DefenderEvent ID 1006ProductName has detected malware or other potentially unwanted software.
Windows-DefenderEvent ID 1015ProductName has detected a suspicious behavior.
Windows-DefenderEvent ID 1116Product Name has detected malware or other potentially unwanted software.
Windows-DefenderEvent ID 1117Product Name has taken action to protect this machine from malware or other potentially unwanted software.
Windows-DefenderEvent ID 1121Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
Windows-DefenderEvent ID 1122Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.
Windows-DefenderEvent ID 1125Your IT administrator would have caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.
Windows-DefenderEvent ID 1126Your IT administrator has caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.
Windows-DefenderEvent ID 1129A user has allowed a blocked Microsoft Defender Exploit Guard operation.
Windows-DefenderEvent ID 1131ProductName has blocked an operation that your administrator doesn't allow.
Windows-DefenderEvent ID 1132ProductName has audited an operation.
Windows-DefenderEvent ID 1133ProductName has blocked an operation that your administrator doesn't allow.
Windows-DefenderEvent ID 1134ProductName has audited an operation.
Windows-DefenderEvent ID 5007Product Name Configuration has changed.
PowerShellEvent ID 400Event ID 400
PowerShellEvent ID 800Event ID 800
ScreenConnectEvent ID 200Executed command of length.
ScreenConnectEvent ID 201Transferred files with action 'Transfer'.
Service-Control-ManagerEvent ID 7045A service was installed in the system.
Sysmon-for-LinuxEvent ID 1Process Create
Sysmon-for-LinuxEvent ID 3Network connection
Sysmon-for-LinuxEvent ID 11File created

Authoring guide

Patterns shared across the 1093 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (351 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine388contains 264, regex_match 65, match 48, wildcard 21, is_not_null 15, ends_with 14, in 13, eq 9, is_null 3, starts_with 2, length_compare 1 -e , list, .js, /bin/bash, /c
Image268ends_with 202, contains 21, starts_with 19, wildcard 17, eq 10, is_not_null 9, ne 4, in 3, regex_match 3, is_null 2, match 1\powershell.exe, \cmd.exe, \pwsh.exe, \cscript.exe, /dev/shm/
process_name268eq 146, in 93, starts_with 26, wildcard 20, regex_match 17, match 11, ne 4, contains 2, is_not_null 2, ends_with 1bash, powershell.exe, csh, cmd.exe, dash
event.type216eq 203, in 13, ne 1start, process_started, creation, change, deletion
EventID199eq 195, in 44104, 4688, 1, 4103, 7
EventType169eq 106, in 61, starts_with 4, ne 3, contains 1exec, ProcessRollup2, exec_event, connection_attempted, start
parent_process_name161eq 98, in 35, regex_match 20, starts_with 14, wildcard 8, match 7, ends_with 5, contains 3, is_not_null 1, ne 1bash, explorer.exe, cmd.exe, csh, powershell.exe
host.os.type142eq 135, in 8
ScriptBlockText130contains 76, in 42, eq 27, regex_match 9, match 7, ends_with 2, starts_with 1adjusttokenprivileges, frombase64string, new-object, &&, (new-object...
OriginalFileName121eq 109, in 11, contains 2, wildcard 1powershell.exe, pwsh.dll, powershell_ise.exe, cmd.exe, cscript.exe
process.args109eq 58, wildcard 33, in 25, starts_with 24, contains 22, ends_with 6, match 3, ne 3, is_not_null 1-c, -e, */bin/*sh*, *import*pty*spawn*, *import*subprocess*call*
ParentImage108ends_with 72, contains 14, eq 13, is_not_null 7, starts_with 6, wildcard 4, ne 3, is_null 1, regex_match 1\powershell.exe, \cmd.exe, \explorer.exe, /java, /node
event.category66eq 65, in 1process, library, driver, file
ParentCommandLine54contains 39, eq 6, ends_with 5, wildcard 3, in 2, is_not_null 2, match 1, ne 1, regex_match 1, starts_with 1app.py, asgi.py, django, --experimental-https, *--experimental-https*
Type46eq 46Detection

Top indicator values (9332 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
190606
EventIDeq
4104
75268
EventIDeq
4688
57313
EventIDeq
1
43237
EventIDeq
4103
28105
EventTypeeq
exec
64171
Imageends_with
\powershell.exe
63182
Imageends_with
\pwsh.exe
56168
Imageends_with
\cmd.exe
40130
event.categoryeq
process
63128
process_nameeq
powershell.exe
55104
process_nameeq
cmd.exe
4177
process_nameeq
pwsh.exe
3962
process_nameeq
powershell_ise.exe
3250
process_namein
bash
5588
process_namein
sh
5483
process_namein
zsh
5382
process_namein
dash
4878
process_namein
csh
4571
process_namein
ksh
4573
process_namein
fish
4472
process_namein
tcsh
4469
EventTypein
exec
52171
EventTypein
start
38134
EventTypein
ProcessRollup2
35117
EventTypein
exec_event
35139
OriginalFileNameeq
powershell.exe
46120
OriginalFileNameeq
pwsh.dll
43112
OriginalFileNameeq
cmd.exe
2365
process.argseq
-c
2330

Exclusions (2291 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
dest_ipcidr_match
127.0.0.0/8
20
dest_ipcidr_match
169.254.0.0/16
19
dest_ipcidr_match
224.0.0.0/4
18
dest_ipcidr_match
::1
18
dest_ipcidr_match
10.0.0.0/8
13
dest_ipcidr_match
172.16.0.0/12
13
dest_ipcidr_match
192.168.0.0/16
13
dest_ipcidr_match
192.0.0.0/24
12
dest_ipcidr_match
192.0.2.0/24
12
dest_ipcidr_match
192.88.99.0/24
12
dest_ipcidr_match
240.0.0.0/4
12
dest_ipcidr_match
FE80::/10
12
dest_ipcidr_match
FF00::/8
12
dest_ipcidr_match
100.64.0.0/10
11
user.ideq
S-1-5-18
17

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 425 rules

Elastic 306 rules

Splunk 280 rules

Kusto 63 rules

YARA-L 7 rules

Panther 12 rules