this detection may also be triggered by legitimate applications and numerous service accounts, which often end with a $ sign. to manage this, it's advised to check the service account's activities and, if they are valid, modify the filter macro to exclude them.

t1059
t1059.003
endpoint
splunk

Techniques

T1059
T1059.003

Sample rules

Detect Use of cmd exe to Launch Script Interpreters

source: splunk
technicques:
- T1059
- T1059.003

Description

This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="cmd.exe" (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.process Processes.user Processes.dest 
| `drop_dm_object_name("Processes")` 
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)` 
| `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`