The exhibit shows a series of process executions that form a suspicious chain involving scripting engines and obfuscated commands:
One critical indicator iscmd.exe executing PowerShell with obfuscated (Base64-encoded) arguments. The use of Base64 is a known method used by attackers to mask malicious commands. This aligns with attack techniques defined under MITRE ATT&CK T1059 (Command and Scripting Interpreter) and T1086 (PowerShell abuse). Therefore, option D is valid.
Another important IOC isWScript.exe acting as a parent of cmd.exe, which is abnormal in typical business environments. This indicates potential misuse of Windows Script Host (WSH) to launch commands, often seen in phishing or malware dropper scenarios. Thus, option E is also valid.
Options A and B by themselves are not definitive IOCs—PowerShell and cmd.exe are legitimate administrative tools and frequently used in Windows environments.
Option C is not supported by the exhibit—the reverse (powershell.exe initiated by WScript.exe) is what's seen, not the other way around.
These patterns align with theCyberOps Technologies (CBRFIR) 300-215 study guide, which specifies that chaining of interpreters (e.g., WScript → cmd → PowerShell) with encoded commands is a key indicator of compromise during forensic analysis.
[Reference:CyberOps Technologies (CBRFIR) 300-215 study guide, Chapter on Identifying Malicious Activity in Host-Based Artifacts and Command-Line Analysis., ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit