T1059 IBM QRadar · QRadar

Detect Command and Scripting Interpreter in IBM QRadar

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic. Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Canonical reference
https://attack.mitre.org/techniques/T1059/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS host,
  username,
  "Process Name" AS image,
  "Command" AS commandline,
  "Parent Process Name" AS parent_image,
  CASE
    WHEN LOWER("Parent Process Name") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe') THEN 1
    ELSE 0
  END AS is_office_parent,
  CASE
    WHEN LOWER("Parent Process Name") = 'wmiprvse.exe' THEN 1
    ELSE 0
  END AS is_wmi,
  CASE
    WHEN LOWER("Parent Process Name") = 'svchost.exe' THEN 1
    ELSE 0
  END AS is_svchost
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 261)
  AND QIDNAME(qid) ILIKE '%process%create%'
  AND LOWER("Process Name") IN ('powershell.exe','pwsh.exe','cmd.exe','wscript.exe','cscript.exe','mshta.exe','python.exe','python3.exe','perl.exe','ruby.exe','lua.exe','node.exe','autohotkey.exe','autoit3.exe')
  AND LOWER("Parent Process Name") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe','msaccess.exe','mspub.exe','visio.exe','onenote.exe','explorer.exe','wmiprvse.exe','svchost.exe')
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
high severity medium confidence

QRadar AQL query detecting scripting interpreter processes launched from suspicious parent processes. Correlates against Sysmon Event ID 1 (Process Create) log sources ingested into QRadar, flagging Office macro execution, WMI-spawned interpreters, and service host-spawned scripts consistent with T1059 abuse.

Data Sources

Microsoft Windows Sysmon (QRadar DSM)Microsoft Windows Security Event LogWindows Hosts via WinCollect

Required Tables

events

False Positives & Tuning

  • Enterprise software packaging tools that invoke cmd.exe or PowerShell from svchost.exe during Windows service operations or patch deployments
  • Office add-ins or COM automation frameworks that legitimately launch scripting engines as part of document processing pipelines
  • Helpdesk or remote monitoring agents that run scripts from explorer.exe in response to user-initiated support sessions
Download portable Sigma rule (.yml)

Other platforms for T1059

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Office Macro Simulation — Word spawns PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe spawning powershell.exe. Security Event ID 4688 with command line details showing the full chain.

  2. Test 2WScript Execution of VBScript File

    Expected signal: Sysmon Event ID 1: Process Create with Image=wscript.exe and CommandLine containing the .vbs file path. Sysmon Event ID 11: File Create for the .vbs file in the temp directory.

  3. Test 3MSHTA Executing Inline VBScript

    Expected signal: Sysmon Event ID 1: Process Create with Image=mshta.exe and CommandLine containing 'vbscript:Execute'. Child process creation event for calc.exe spawned by mshta.exe.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (13)

Related Techniques

T1059.001PowerShellT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1204.002Malicious FileT1047Windows Management InstrumentationT1027Obfuscated Files or InformationT1105Ingress Tool Transfer

Same Tactic: Execution

Popular Detections