Which SIEM platforms have a T1059 detection rule?

df00tech provides T1059 (Command and Scripting Interpreter) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Command and Scripting Interpreter (T1059)?

Detecting Command and Scripting Interpreter requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1059 detection?

The T1059 detection is rated high severity with medium confidence.

What are common false positives for T1059?

Common false positives for T1059 include: Legitimate Office macros that invoke scripting engines for approved business automation; WMI-based management tools (SCCM, Intune) that spawn script interpreters for system configuration; Svchost launching script interpreters as part of scheduled tasks or Windows Update processes.

T1059

Command and Scripting Interpreter

Execution Last updated: April 16, 2026

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic. Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands.

What is T1059 Command and Scripting Interpreter?

Command and Scripting Interpreter (T1059) maps to the Execution tactic — the adversary is trying to run malicious code in MITRE ATT&CK.

This page provides production-ready detection logic for Command and Scripting Interpreter, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Execution
Technique: T1059 Command and Scripting Interpreter
Canonical reference: https://attack.mitre.org/techniques/T1059/

Microsoft Sentinel / Defender

kusto

let ScriptEngines = dynamic(["powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "python.exe", "python3.exe", "perl.exe", "ruby.exe", "lua.exe", "node.exe", "osascript", "bash", "sh", "zsh", "AutoHotkey.exe", "AutoIt3.exe"]);
let SuspiciousParents = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "msaccess.exe", "mspub.exe", "visio.exe", "onenote.exe", "explorer.exe", "wmiprvse.exe", "svchost.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (ScriptEngines)
| where InitiatingProcessFileName has_any (SuspiciousParents)
| extend IsOfficeParent = InitiatingProcessFileName has_any ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe")
| extend IsWMI = InitiatingProcessFileName =~ "wmiprvse.exe"
| extend IsSvchost = InitiatingProcessFileName =~ "svchost.exe"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, IsOfficeParent, IsWMI, IsSvchost
| sort by Timestamp desc

Detects suspicious execution of scripting interpreters spawned by unusual parent processes using Microsoft Defender for Endpoint. Focuses on script engines (PowerShell, cmd, wscript, cscript, mshta, python, node, etc.) being launched from Office applications, WMI, or service host processes, which are common indicators of malicious macro execution, lateral movement, or exploitation.

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate Office macros that invoke scripting engines for approved business automation
WMI-based management tools (SCCM, Intune) that spawn script interpreters for system configuration
Svchost launching script interpreters as part of scheduled tasks or Windows Update processes

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS host,
  username,
  "Process Name" AS image,
  "Command" AS commandline,
  "Parent Process Name" AS parent_image,
  CASE
    WHEN LOWER("Parent Process Name") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe') THEN 1
    ELSE 0
  END AS is_office_parent,
  CASE
    WHEN LOWER("Parent Process Name") = 'wmiprvse.exe' THEN 1
    ELSE 0
  END AS is_wmi,
  CASE
    WHEN LOWER("Parent Process Name") = 'svchost.exe' THEN 1
    ELSE 0
  END AS is_svchost
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 261)
  AND QIDNAME(qid) ILIKE '%process%create%'
  AND LOWER("Process Name") IN ('powershell.exe','pwsh.exe','cmd.exe','wscript.exe','cscript.exe','mshta.exe','python.exe','python3.exe','perl.exe','ruby.exe','lua.exe','node.exe','autohotkey.exe','autoit3.exe')
  AND LOWER("Parent Process Name") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe','msaccess.exe','mspub.exe','visio.exe','onenote.exe','explorer.exe','wmiprvse.exe','svchost.exe')
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC

QRadar AQL query detecting scripting interpreter processes launched from suspicious parent processes. Correlates against Sysmon Event ID 1 (Process Create) log sources ingested into QRadar, flagging Office macro execution, WMI-spawned interpreters, and service host-spawned scripts consistent with T1059 abuse.

high severity medium confidence

Data Sources

Microsoft Windows Sysmon (QRadar DSM) Microsoft Windows Security Event Log Windows Hosts via WinCollect

Required Tables

events

False Positives

Enterprise software packaging tools that invoke cmd.exe or PowerShell from svchost.exe during Windows service operations or patch deployments
Office add-ins or COM automation frameworks that legitimately launch scripting engines as part of document processing pipelines
Helpdesk or remote monitoring agents that run scripts from explorer.exe in response to user-initiated support sessions

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=os/windows/sysmon
| where EventID = "1"
| parse regex field=Image "(?<proc_name>[^\\\\]+)$"
| parse regex field=ParentImage "(?<parent_proc_name>[^\\\\]+)$"
| where toLowerCase(proc_name) in ("powershell.exe","pwsh.exe","cmd.exe","wscript.exe","cscript.exe","mshta.exe","python.exe","python3.exe","perl.exe","ruby.exe","lua.exe","node.exe","autohotkey.exe","autoit3.exe")
| where toLowerCase(parent_proc_name) in ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","msaccess.exe","mspub.exe","visio.exe","onenote.exe","explorer.exe","wmiprvse.exe","svchost.exe")
| if (toLowerCase(parent_proc_name) in ("winword.exe","excel.exe","powerpnt.exe","outlook.exe"), 1, 0) as is_office_parent
| if (toLowerCase(parent_proc_name) = "wmiprvse.exe", 1, 0) as is_wmi
| if (toLowerCase(parent_proc_name) = "svchost.exe", 1, 0) as is_svchost
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, is_office_parent, is_wmi, is_svchost
| sort by _messagetime desc

Sumo Logic query against Sysmon Event ID 1 logs detecting scripting interpreters (PowerShell, cmd, WScript, Python, Node.js, etc.) spawned from suspicious parent processes including Microsoft Office apps, WMI provider host, and svchost. Classifies events by parent process type to prioritize triage for T1059 technique detection.

high severity high confidence

Data Sources

Sysmon Event Log via Sumo Logic Windows Agent Sumo Logic Cloud SIEM Enterprise (CSE) Windows source

Required Tables

windows/sysmon os/windows/sysmon

False Positives

IT automation frameworks (Ansible, Chef, Puppet) that route execution through svchost-adjacent processes during configuration management runs
Legitimate macro-enabled Office templates used by finance or operations teams that invoke cmd.exe or PowerShell for business process automation
Security awareness testing tools or phishing simulation platforms that spawn scripting engines from Office processes as part of controlled exercises

Google Chronicle / SecOps

yaral

rule t1059_scripting_interpreter_suspicious_parent {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects command and scripting interpreters spawned by suspicious parent processes including Office apps, WMI, and svchost (MITRE ATT&CK T1059)"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python\.exe|python3\.exe|perl\.exe|ruby\.exe|lua\.exe|node\.exe|AutoHotkey\.exe|AutoIt3\.exe)$/
    $e.principal.process.parent_process.file.full_path = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|msaccess\.exe|mspub\.exe|visio\.exe|onenote\.exe|explorer\.exe|wmiprvse\.exe|svchost\.exe)$/

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting scripting interpreter binaries (PowerShell, cmd, WScript, Python, Node.js, etc.) launched by suspicious parent processes including Microsoft Office applications, WMI provider host (wmiprvse.exe), and svchost.exe. Triggers on UDM PROCESS_LAUNCH events matching the parent-child process relationship indicative of macro execution, WMI abuse, or service-spawned interpreter activity.

high severity high confidence

Data Sources

Google Chronicle UDM via Windows Sensor Chronicle Forwarder (Sysmon or Windows Event Logs) CrowdStrike Falcon or Carbon Black EDR Chronicle integration

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Legitimate scheduled tasks registered under svchost service groups that invoke PowerShell or cmd.exe for maintenance operations such as disk cleanup or log rotation
Office-integrated business intelligence tools (Power Query, Excel macros for data refresh) that launch Python or PowerShell as part of sanctioned data pipeline workflows
WMI-based monitoring solutions (e.g., SCCM hardware inventory, Dell OpenManage) that use wmiprvse.exe to spawn scripting engines for asset discovery

Sigma rule & cross-platform mapping

The detection logic for Command and Scripting Interpreter (T1059) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1059 Sigma rules on detection.fyi

Platform-specific guides for T1059

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-16 Research depth: deep

References (5)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Office Macro Simulation — Word spawns PowerShell
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe spawning powershell.exe. Security Event ID 4688 with command line details showing the full chain.
Test 2WScript Execution of VBScript File
Expected signal: Sysmon Event ID 1: Process Create with Image=wscript.exe and CommandLine containing the .vbs file path. Sysmon Event ID 11: File Create for the .vbs file in the temp directory.
Test 3MSHTA Executing Inline VBScript
Expected signal: Sysmon Event ID 1: Process Create with Image=mshta.exe and CommandLine containing 'vbscript:Execute'. Child process creation event for calc.exe spawned by mshta.exe.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1059 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hub

TA0002Execution

Sub-techniques (13)

Related Techniques

T1059.001PowerShell T1059.003Windows Command Shell T1059.004Unix Shell T1059.005Visual Basic T1059.006Python T1059.007JavaScript T1204.002Malicious File T1047Windows Management Instrumentation T1027Obfuscated Files or Information T1105Ingress Tool Transfer

Command and Scripting Interpreter

What is T1059 Command and Scripting Interpreter?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1059

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (13)

Related Techniques

Same Tactic: Execution

Popular Detections

What is T1059 Command and Scripting Interpreter?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1059

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (13)

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox