Suspicious Windows Command Shell Arguments
Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior is often observed during malware installation.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/09/06"
3integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
6min_stack_version = "8.14.0"
7updated_date = "2024/10/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior is
13often observed during malware installation.
14"""
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-windows.*",
19 "logs-system.security*",
20 "logs-windows.sysmon_operational-*",
21 "logs-sentinel_one_cloud_funnel.*",
22 "logs-m365_defender.event-*"
23]
24language = "eql"
25license = "Elastic License v2"
26name = "Suspicious Windows Command Shell Arguments"
27risk_score = 73
28rule_id = "d9ffc3d6-9de9-4b29-9395-5757d0695ecf"
29severity = "high"
30tags = [
31 "Domain: Endpoint",
32 "OS: Windows",
33 "Use Case: Threat Detection",
34 "Tactic: Execution",
35 "Data Source: System",
36 "Data Source: Sysmon",
37 "Data Source: SentinelOne",
38 "Data Source: Microsoft Defender for Endpoint"
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44process where host.os.type == "windows" and event.type == "start" and
45 process.name : "cmd.exe" and
46 (
47
48 process.command_line : ("*).Run(*", "*GetObject*", "* curl*regsvr32*", "*echo*wscript*", "*echo*ZONE.identifier*",
49 "*ActiveXObject*", "*dir /s /b *echo*", "*unescape(*", "*findstr*TVNDRgAAAA*", "*findstr*passw*", "*start*\\\\*\\DavWWWRoot\\*",
50 "* explorer*%CD%*", "*%cd%\\*.js*", "*attrib*%CD%*", "*/?cMD<*", "*/AutoIt3ExecuteScript*..*", "*&cls&cls&cls&cls&cls&*",
51 "*&#*;&#*;&#*;&#*;*", "* &&s^eT*", "*& ChrW(*", "*&explorer /root*", "*start __ & __\\*", "*findstr /V /L *forfiles*",
52 "*=wscri& set *", "*http*!COmpUternaME!*", "*start *.pdf * start /min cmd.exe /c *\\\\*", "*pip install*System.Net.WebClient*",
53 "*Invoke-WebReques*Start-Process*", "*-command (Invoke-webrequest*", "*copy /b *\\\\* ping *-n*", "*echo*.ToCharArray*") or
54
55 (process.args : "echo" and process.parent.name : ("wscript.exe", "mshta.exe")) or
56
57 process.args : ("1>?:\\*.vbs", "1>?:\\*.js") or
58
59 (process.args : "explorer.exe" and process.args : "type" and process.args : ">" and process.args : "start") or
60
61 (process.parent.name : "explorer.exe" and
62 process.command_line :
63 ("*&&S^eT *",
64 "*&& set *&& set *&& set *&& set *&& set *&& call*",
65 "**\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??*")) or
66
67 (process.parent.name : "explorer.exe" and process.args : "copy" and process.args : "&&" and process.args : "\\\\*@*\\*")
68 ) and
69
70 /* false positives */
71 not (process.args : "%TEMP%\\Spiceworks\\*" and process.parent.name : "wmiprvse.exe") and
72 not process.parent.executable :
73 ("?:\\Perl64\\bin\\perl.exe",
74 "?:\\Program Files\\nodejs\\node.exe",
75 "?:\\Program Files\\HP\\RS\\pgsql\\bin\\pg_dumpall.exe",
76 "?:\\Program Files (x86)\\PRTG Network Monitor\\64 bit\\PRTG Server.exe",
77 "?:\\Program Files (x86)\\Spiceworks\\bin\\spiceworks-finder.exe",
78 "?:\\Program Files (x86)\\Zuercher Suite\\production\\leds\\leds.exe",
79 "?:\\Program Files\\Tripwire\\Agent\\Plugins\\twexec\\twexec.exe",
80 "D:\\Agents\\?\\_work\\_tasks\\*\\SonarScanner.MSBuild.exe",
81 "?:\\Program Files\\Microsoft VS Code\\Code.exe",
82 "?:\\programmiweb\\NetBeans-*\\netbeans\\bin\\netbeans64.exe",
83 "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
84 "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
85 "?:\\Program Files\\NetBeans-*\\netbeans\\bin\\netbeans*.exe",
86 "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
87 "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
88 "?:\\Program Files (x86)\\Helpdesk Button\\button_gui.exe",
89 "?:\\VTSPortable\\VTS\\jre\\bin\\javaw.exe",
90 "?:\\Program Files\\Bot Framework Composer\\Bot Framework Composer.exe",
91 "?:\\Program Files\\KMSYS Worldwide\\eQuate\\*\\SessionMgr.exe",
92 "?:\\Program Files (x86)\\Craneware\\Pricing Analyzer\\Craneware.Pricing.Shell.exe",
93 "?:\\Program Files (x86)\\jumpcloud-agent-app\\jumpcloud-agent-app.exe",
94 "?:\\Program Files\\PostgreSQL\\*\\bin\\pg_dumpall.exe",
95 "?:\\Program Files (x86)\\Vim\\vim*\\vimrun.exe") and
96 not (process.args : "?:\\Program Files\\Citrix\\Secure Access Client\\nsauto.exe" and process.parent.name : "userinit.exe") and
97 not process.args :
98 ("?:\\Program Files (x86)\\PCMatic\\PCPitstopScheduleService.exe",
99 "?:\\Program Files (x86)\\AllesTechnologyAgent\\*",
100 "https://auth.axis.com/oauth2/oauth-authorize*") and
101 not process.command_line :
102 ("\"cmd\" /c %NETBEANS_MAVEN_COMMAND_LINE%",
103 "?:\\Windows\\system32\\cmd.exe /q /d /s /c \"npm.cmd ^\"install^\" ^\"--no-bin-links^\" ^\"--production^\"\"") and
104 not (process.name : "cmd.exe" and process.args : "%TEMP%\\Spiceworks\\*" and process.args : "http*/dataloader/persist_netstat_data") and
105 not (process.args == "echo" and process.args == "GEQ" and process.args == "1073741824")
106'''
107
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1059"
113name = "Command and Scripting Interpreter"
114reference = "https://attack.mitre.org/techniques/T1059/"
115[[rule.threat.technique.subtechnique]]
116id = "T1059.003"
117name = "Windows Command Shell"
118reference = "https://attack.mitre.org/techniques/T1059/003/"
119
120
121
122[rule.threat.tactic]
123id = "TA0002"
124name = "Execution"
125reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Execution from Unusual Directory - Command Line
- Suspicious PowerShell Execution via Windows Scripts
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Execution via local SxS Shared Module