CMMC Practice SI.5.222: Analyze system behavior to detect and mitigate execution of normal system commands and scripts that indicate malicious actions.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
Normal system commands and scripts used by the adversary will be allowed by normal application whitelists. The adversary uses this fact to move around despite the presence of whitelisting or other defenses. An organization may use endpoint detection and response (EDR) to record system activities and events that occur. Analyzing EDR records is one way to identify execution of a script that operates outside of normal parameters, indicating an exploit is in progress. Another way to approach this is to use User and Entity Behavior Analytics solutions to identify malicious activity.