Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible, to determine their actions and intent.
Monitor executed commands and arguments for actions that could be taken to collect internal data.
Monitor for unexpected files (e.g., .pdf, .docx, .jpg) viewed for collecting internal data.
Monitor for information collection on assets that may indicate deviations from standard operational tools. Examples include unexpected industrial automation protocol functions, new high volume communication sessions, or broad collection across many hosts within the network.
| Data Component | Name | Channel |
|---|---|---|
| Script Execution (DC0029) | Script | None |
| Command Execution (DC0064) | Command | None |
| File Access (DC0055) | File | None |
| Network Traffic Content (DC0085) | Network Traffic | None |