Skip to content

Hide Navigation Hide TOC

Script Interpreter Execution From Suspicious Folder (1228c958-e64e-4e71-92ad-7d429f4138ba)

Detects suspicious script execution from suspicious directories or folders accessible by environment variables that may indicate malware activity. Script interpreters (cscript, wscript, mshta, powershell) executing from folders like Temp, Public, or user profile directories may suggest attempts to evade detection or execute malicious scripts.

Cluster A Galaxy A Cluster B Galaxy B Level
Script Interpreter Execution From Suspicious Folder (1228c958-e64e-4e71-92ad-7d429f4138ba) Sigma-Rules Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1