Skip to content

Hide Navigation Hide TOC

Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd)

The execution of a text file that contains code via the interpreter.

Data Collection Measures:

  • Windows Event Logs:
    • Event ID 4104 (PowerShell Script Block Logging) – Captures full command-line execution of PowerShell scripts.
    • Event ID 4688 (Process Creation) – Detects script execution by tracking process launches (powershell.exe, wscript.exe, cscript.exe).
    • Event ID 5861 (Script Execution) – Captures script execution via Windows Defender AMSI logging.
  • Sysmon (Windows):
    • Event ID 1 (Process Creation) – Monitors script execution initiated by scripting engines.
    • Event ID 11 (File Creation) – Detects new script files written to disk before execution.
  • Endpoint Detection and Response (EDR) Tools:
    • Track script execution behavior, detect obfuscated commands, and prevent malicious scripts.
  • PowerShell Logging:
    • Enable Module Logging: Logs all loaded modules and cmdlets.
    • Enable Script Block Logging: Captures complete PowerShell script execution history.
  • SIEM Detection Rules:
    • Detect script execution with obfuscated, encoded, or remote URLs.
    • Alert on script executions using -EncodedCommand or iex(iwr).
Cluster A Galaxy A Cluster B Galaxy B Level
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern 1
Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern 1
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
VBA Stomping - T1564.007 (c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component Cloud Administration Command - T1651 (d94b3ae9-8059-4989-8e9f-ea0f601f80a7) Attack Pattern 1
Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 1
Group Policy Discovery - T1615 (1b20efbf-8063-4fc3-a07d-b575318a301b) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component Archive via Library - T1560.002 (41868330-6ee2-4d0f-b743-9f2294c3c9b6) Attack Pattern 1
GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern 1
Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component Input Injection - T1674 (63e3d25c-d57d-407d-8e6a-2cecd71f90be) Attack Pattern 1
System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 1
Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07) Attack Pattern 1
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
SyncAppvPublishingServer - T1216.002 (e6f19759-dde3-47fc-99cc-d9f5fa4ade60) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 1
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern VBA Stomping - T1564.007 (c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b) Attack Pattern 2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Library - T1560.002 (41868330-6ee2-4d0f-b743-9f2294c3c9b6) Attack Pattern 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe) Attack Pattern PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58) Attack Pattern 2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07) Attack Pattern 2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe) Attack Pattern SyncAppvPublishingServer - T1216.002 (e6f19759-dde3-47fc-99cc-d9f5fa4ade60) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 2