Script Execution Analysis
Definition
Analyzing the execution of a script to detect unauthorized user activity.
How it works
Software installed on the host system hooks into a scripting engine to intercept commands before they are executed and block commands if they are determined to be harmful. Pattern matching is used to identify unauthorized commands or in the case of script files, a hash of the file is compared against hashes of known unauthorized script files.
Considerations
List of known unauthorized script files or regular expression patterns must be kept up to date to ensure detection of new threats.
References
The following references were used to develop the Script Execution Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
Detecting script-based malware
MITRE Comments
The patent describes techniques that can be implemented to detect and block malicious commands and command scripts from being executed by scripting engines.
Script Execution Monitoring explanation
This patent describes software installed on the host system that hooks into methods of a scripting engine to intercept commands before they are executed and block commands if they are determined to be harmful. For example regular expression checking may be used to identify commands having malicious patterns. Expression checking may be used for script files as well as interactively - typed commands.
File Content Signatures explanation
This patent includes File Content Signatures because in the case of a script file, a hash of the file is compared against hashes of known malicious script files to determine whether the script file is malicious.