Detect Command and Scripting Interpreter in Sumo Logic CSE
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic. Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Canonical reference
- https://attack.mitre.org/techniques/T1059/
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=os/windows/sysmon
| where EventID = "1"
| parse regex field=Image "(?<proc_name>[^\\\\]+)$"
| parse regex field=ParentImage "(?<parent_proc_name>[^\\\\]+)$"
| where toLowerCase(proc_name) in ("powershell.exe","pwsh.exe","cmd.exe","wscript.exe","cscript.exe","mshta.exe","python.exe","python3.exe","perl.exe","ruby.exe","lua.exe","node.exe","autohotkey.exe","autoit3.exe")
| where toLowerCase(parent_proc_name) in ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","msaccess.exe","mspub.exe","visio.exe","onenote.exe","explorer.exe","wmiprvse.exe","svchost.exe")
| if (toLowerCase(parent_proc_name) in ("winword.exe","excel.exe","powerpnt.exe","outlook.exe"), 1, 0) as is_office_parent
| if (toLowerCase(parent_proc_name) = "wmiprvse.exe", 1, 0) as is_wmi
| if (toLowerCase(parent_proc_name) = "svchost.exe", 1, 0) as is_svchost
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, is_office_parent, is_wmi, is_svchost
| sort by _messagetime descSumo Logic query against Sysmon Event ID 1 logs detecting scripting interpreters (PowerShell, cmd, WScript, Python, Node.js, etc.) spawned from suspicious parent processes including Microsoft Office apps, WMI provider host, and svchost. Classifies events by parent process type to prioritize triage for T1059 technique detection.
Data Sources
Required Tables
False Positives & Tuning
- IT automation frameworks (Ansible, Chef, Puppet) that route execution through svchost-adjacent processes during configuration management runs
- Legitimate macro-enabled Office templates used by finance or operations teams that invoke cmd.exe or PowerShell for business process automation
- Security awareness testing tools or phishing simulation platforms that spawn scripting engines from Office processes as part of controlled exercises
Other platforms for T1059
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Office Macro Simulation — Word spawns PowerShell
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe spawning powershell.exe. Security Event ID 4688 with command line details showing the full chain.
- Test 2WScript Execution of VBScript File
Expected signal: Sysmon Event ID 1: Process Create with Image=wscript.exe and CommandLine containing the .vbs file path. Sysmon Event ID 11: File Create for the .vbs file in the temp directory.
- Test 3MSHTA Executing Inline VBScript
Expected signal: Sysmon Event ID 1: Process Create with Image=mshta.exe and CommandLine containing 'vbscript:Execute'. Child process creation event for calc.exe spawned by mshta.exe.
References (6)
- https://attack.mitre.org/techniques/T1059/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://lolbas-project.github.io/
Unlock Pro Content
Get the full detection package for T1059 including response playbook, investigation guide, and atomic red team tests.