Detect Use Of Cmd Exe To Launch Script Interpreters

Description

This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Execution

MITRE ATT&CK Techniques

Command and Scripting Interpreter

Windows Command Shell

MITRE Threat Groups

APT1
APT18
APT28
APT3
APT32
APT37
APT38
APT41
BRONZE BUTLER
Blue Mockingbird
Cobalt Group
Dark Caracal
Darkhotel
Dragonfly 2.0
FIN10
FIN6
FIN7
FIN8
Frankenstein
Gamaredon Group
Gorgon Group
Honeybee
Ke3chang
Lazarus Group
Leviathan
Magic Hound
MuddyWater
OilRig
Patchwork
Rancor
Silence
Soft Cell
Sowbug
Suckfly
TA505
Threat Group-1314
Threat Group-3390
Tropic Trooper
Turla
Wizard Spider
admin@338
menuPass

Data Sources

Endpoint Detection and Response

   Help

Detect Use Of Cmd Exe To Launch Script Interpreters Help

To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

   Search

Open in Search