Detects the execution of scripting or command interpreters (e.g., powershell.exe, cmd.exe, wscript.exe) outside expected administrative time windows or from abnormal user contexts, often followed by encoded/obfuscated arguments or secondary execution events.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| CommandLinePattern | Tunable to match encoded or uncommon script execution patterns specific to the environment. |
| ParentProcessName | May vary across managed/unmanaged workstations or user-driven script activity. |
| TimeWindow | Used to restrict analysis to work hours or known admin maintenance windows. |
Detects use of shell interpreters (e.g., bash, sh, python, perl) initiated by users or processes not normally executing them, especially when chaining suspicious utilities like netcat, curl, or ssh.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Field | Description |
|---|---|
| InterpreterName | Regex to identify which interpreters (bash, python, ruby) to monitor based on typical usage. |
| UserContext | Scope to users or service accounts not expected to run interpreters interactively. |
| ExecutionChainLength | Defines maximum process tree depth to correlate interpreter execution with its effects. |
Detects launch of command-line interpreters via Terminal, Automator, or hidden osascript, especially when parent process lineage deviates from user-initiated applications.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | log stream --info --predicate 'eventMessage CONTAINS "exec"' |
| Field | Description |
|---|---|
| LaunchAgentName | Monitor for specific plist agents frequently abused for persistence or payload execution. |
| ScriptName | Path or script name pattern (e.g., hidden files, /tmp locations). |
| TerminalAppUsage | Adjust based on whether Terminal.app use is common or restricted in user policy. |
Detects use of 'esxcli system' or direct interpreter commands (e.g., busybox shell) invoked from SSH or host terminal unexpectedly.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:vobd | shell session start |
| Field | Description |
|---|---|
| ShellEnabledFlag | Control alerting based on whether ESXi shell access is typically disabled. |
| SSHContext | Scope detection to SSH session origins or internal vs. remote access. |
Identifies CLI interpreter access (e.g., Cisco IOS, Juniper JUNOS) via enable mode or scripting-capable sessions used by uncommon accounts or from unknown IPs.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | networkdevice:cli | shell command |
| User Account Authentication (DC0002) | networkdevice:syslog | authentication & authorization |
| Field | Description |
|---|---|
| UserRole | Which roles or privilege levels should be monitored for interpreter misuse. |
| DeviceType | Support filtering for routers, switches, firewalls depending on network segmentation. |