detection.wiki

ATT&CK coverage › Technique

Command and Scripting Interpreter T1059

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

Events covered

35 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon3Network connection
Sysmon5Process terminated
Sysmon7Image loaded
Sysmon11FileCreate
Sysmon23FileDelete (File Delete archived)
Sysmon26FileDeleteDetected (File Delete logged)
Security-Auditing4624An account was successfully logged on.
Security-Auditing4625An account failed to log on.
Security-Auditing4663An attempt was made to access an object.
Security-Auditing4688A new process has been created.
Security-Auditing4689A process has exited.
Security-Auditing4776The domain controller attempted to validate the credentials for an account.
Security-Auditing5156The Windows Filtering Platform has permitted a connection.
Defender-DeviceEvents9007000Defender event (any)
Defender-DeviceEvents9007001PowerShell command executed
Defender-DeviceEvents9007003AMSI script content captured
Defender-DeviceFileEvents9002000File activity (any)
Defender-DeviceNetworkEvents9004001Connection succeeded
Defender-DeviceProcessEvents9001000Process activity (any)
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).
Windows-Defender1006ProductName has detected malware or other potentially unwanted software.
Windows-Defender1015ProductName has detected a suspicious behavior.
Windows-Defender1116Product Name has detected malware or other potentially unwanted software.
Windows-Defender1117Product Name has taken action to protect this machine from malware or other potentially unwanted software.
Windows-Defender1121Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
Windows-Defender1122Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.
Windows-Defender1125Your IT administrator would have caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.
Windows-Defender1126Your IT administrator has caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.
Windows-Defender1129A user has allowed a blocked Microsoft Defender Exploit Guard operation.
Windows-Defender1131ProductName has blocked an operation that your administrator doesn't allow.
Windows-Defender1132ProductName has audited an operation.
Windows-Defender1133ProductName has blocked an operation that your administrator doesn't allow.
Windows-Defender1134ProductName has audited an operation.
Windows-Defender5007Product Name Configuration has changed.

Authoring guide

Patterns shared across the 94 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (35 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine45match 40, contains 4, is_not_null 2, ends_with 2, regex_match 2, eq 2, is_null 1source , add , TVqQAAMAAAAEAAA, -e, script
Image41ends_with 38, match 3, starts_with 2\pwsh.exe, \winget.exe, \powershell.exe, \cmd.exe, \rundll32.exe
OriginalFileName26eq 25, match 1winget.exe, PowerShell.EXE, Cmd.Exe, pwsh.dll, ftp.exe
ParentImage12ends_with 10, starts_with 3, eq 2, match 2, in 1, is_null 1httpd.exe, beasvc.exe, w3wp.exe, \rundll32.exe, \regsvr32.exe
Esql.script_block_pattern_count10ge 101, 2, 20, 5
Esql.script_block_length8gt 8500, 1000
InitiatingProcessFileName7in 3, eq 2, starts_with 2, match 1powershell.exe, httpd.exe, beasvc.exe, w3wp.exe, psexe
EventID7eq 4, in 34688, 1125, 1126, 1133, 1
FileName6eq 4, in 1, match 1cmd.exe, powershell.exe, wscript.exe, netstat.exe, nslookup.exe
file.directory4is_null 4
ScriptBlockText4match 4+, `, {0}, -ExclusionExtension , -ExclusionIpAddress
ActionType4eq 3, match 1AmsiScriptContent, ConnectionSuccess, PowerShellCommand, ExploitGuardNonMicrosoftSignedBlocked
Description4eq 4Stracciatella, Windows sudo utility, The curl executable, Command line RAR
Process3is_not_null 1, ends_with 1, match 1solarwinds.businesslayerhost.exe, procList
Hashes3is_not_null 2, match 1SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f2..., SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6...

Top indicator values (536 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Imageends_with\pwsh.exe8140
Imageends_with\powershell.exe8143
Imageends_with\cmd.exe792
Esql.script_block_pattern_countge166
Esql.script_block_lengthgt50066
Imageends_with\cscript.exe664
Imageends_with\wscript.exe664
Imageends_with\mshta.exe657
OriginalFileNameeqwinget.exe44
Imageends_with\winget.exe45
EventIDeq46883
CommandLinematchsource 33
CommandLinematchadd 39
OriginalFileNameeqCmd.Exe332
OriginalFileNameeqPowerShell.EXE364
OriginalFileNameeqpwsh.dll372
Imageends_with\rundll32.exe376
Imageends_with\regsvr32.exe357
CommandLinematch\AppData\Local\Temp38
EventIDin112633

Common exclusions (12 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
ScriptBlockTextmatch[System.IO.File]::Open('C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender...1
ScriptBlockTextmatch$([char]0x1b)]6331
ScriptBlockTextmatch:::::\\\\windows\\\\sentinel1
ScriptBlockTextmatch$local:Bypassed1
ScriptBlockTextmatchorigPSExecutionPolicyPreference1
ScriptBlockTextmatch$s.BranchBehindStatusSymbol.Text1
ScriptBlockTextmatchGitBranchStatus1
ScriptBlockTextmatchsentinelbreakpoints1
ScriptBlockTextmatchGENESIS-56541
ProcessmatchexcludeProcs1
ImagematchC:\\Windows\\1
ImagematchprocList1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 57 rules

Elastic 12 rules

Splunk 4 rules

Kusto Query Language 21 rules