Script Interpreter Execution From Suspicious Folder (1228c958-e64e-4e71-92ad-7d429f4138ba)
Detects suspicious script execution from suspicious directories or folders accessible by environment variables that may indicate malware activity. Script interpreters (cscript, wscript, mshta, powershell) executing from folders like Temp, Public, or user profile directories may suggest attempts to evade detection or execute malicious scripts.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) | Attack Pattern | Script Interpreter Execution From Suspicious Folder (1228c958-e64e-4e71-92ad-7d429f4138ba) | Sigma-Rules | 1 |