Admin command prompt
SCKIPT is an initiative created by Sergio Albea focus on detect possible User Behaviours which can put the security of our systems in risk. More explanations here.
Initially, SCKIPT focused on the behavior of Standard Users, referring to accounts with no privileges or advanced roles. In 2025, it has been upgraded to include the monitoring of Privileged User behavior, ensuring that they do not abuse their assigned roles and that all their activities are effectively tracked.
UB – User Behaviour Rp -Related Page K -KQL Queries W– WebSites M – MITRE ATT&CK Reference
SCKIPT User Behaviour Matrix (Privileged Users) | ||||
|---|---|---|---|---|
Source (UB) | Case Scenario (C) | Known Interactions (K) | Protection (P) | Threats (T) |
PUB2. Command Prompt | PUB2.C1 – Execute command lines | PUB2.C1.K1 – Execute Command Lines that modify system properties PUB2.C1.K2 – Execute Command Lines that modify permissions | PUB2.C1.K1.P1 – Configure system policies to back to baseline configurations – Configure corresponding monitoring to detect system modifications PUB2.C1.K2.P1 – | PUB2.C1.K1.T1 – Non-compliance systems with possible vulnerabilities PUB2.C1.K2.T2 – |
PUB2.C2 – Create Scheduled Tasks running command lines | ||||