Suspicious Windows Command Shell Arguments

calendar Mar 26, 2025 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Execution Data Source: Windows Security Event Logs Data Source: Sysmon Data Source: SentinelOne Data Source: Microsoft Defender for Endpoint Resources: Investigation Guide  ·
Share on: linkedin copy

Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior is often observed during malware installation.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/09/06"
  3integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior
 11is often observed during malware installation.
 12"""
 13from = "now-9m"
 14index = [
 15    "logs-m365_defender.event-*",
 16    "logs-sentinel_one_cloud_funnel.*",
 17    "logs-system.security*",
 18    "logs-windows.forwarded*",
 19    "logs-windows.sysmon_operational-*",
 20    "winlogbeat-*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Suspicious Windows Command Shell Arguments"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating Suspicious Windows Command Shell Arguments
 31
 32The Windows Command Shell (cmd.exe) is a critical component for executing commands and scripts. Adversaries exploit it to execute malicious scripts, download payloads, or manipulate system settings. The detection rule identifies unusual command-line arguments and patterns indicative of such abuse, filtering out known benign processes to minimize false positives. This helps in early detection of potential threats by monitoring for suspicious command executions.
 33
 34### Possible investigation steps
 35
 36- Review the command line arguments associated with the cmd.exe process to identify any suspicious patterns or keywords such as "curl", "regsvr32", "wscript", or "Invoke-WebRequest" that may indicate malicious activity.
 37- Check the parent process of the cmd.exe execution to determine if it is a known benign process or if it is associated with potentially malicious activity, especially if the parent process is explorer.exe or other unusual executables.
 38- Investigate the user account associated with the cmd.exe process to determine if the activity aligns with the user's typical behavior or if it appears anomalous.
 39- Examine the network activity of the host to identify any unusual outbound connections or data transfers that may correlate with the suspicious command execution.
 40- Cross-reference the alert with other security logs or alerts from tools like Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and corroborate findings.
 41- Assess the risk score and severity of the alert to prioritize the investigation and determine if immediate response actions are necessary.
 42
 43### False positive analysis
 44
 45- Processes related to Spiceworks and wmiprvse.exe can trigger false positives. Exclude these by adding exceptions for process arguments containing "%TEMP%\\\\Spiceworks\\\\*" when the parent process is wmiprvse.exe.
 46- Development tools like Perl, Node.js, and NetBeans may cause false alerts. Exclude these by specifying their executable paths in the exception list.
 47- Citrix Secure Access Client initiated by userinit.exe can be a false positive. Exclude this by adding an exception for process arguments containing "?:\\\\Program Files\\\\Citrix\\\\Secure Access Client\\\\nsauto.exe" with the parent process name as userinit.exe.
 48- Scheduled tasks or services like PCPitstopScheduleService.exe may trigger alerts. Exclude these by adding their paths to the exception list.
 49- Command-line operations involving npm or Maven commands can be benign. Exclude these by specifying command-line patterns like "\\"cmd\\" /c %NETBEANS_MAVEN_COMMAND_LINE%" in the exception list.
 50
 51### Response and remediation
 52
 53- Isolate the affected system from the network to prevent further spread of potential malware or unauthorized access.
 54- Terminate any suspicious cmd.exe processes identified by the detection rule to halt malicious activity.
 55- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or scripts.
 56- Review and restore any altered system settings or configurations to their original state to ensure system integrity.
 57- Analyze the command-line arguments and parent processes involved in the alert to understand the scope and origin of the threat, and identify any additional compromised systems.
 58- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary.
 59- Implement additional monitoring and detection rules to identify similar suspicious command-line activities in the future, enhancing the organization's ability to detect and respond to such threats promptly."""
 60risk_score = 73
 61rule_id = "d9ffc3d6-9de9-4b29-9395-5757d0695ecf"
 62severity = "high"
 63tags = [
 64    "Domain: Endpoint",
 65    "OS: Windows",
 66    "Use Case: Threat Detection",
 67    "Tactic: Execution",
 68    "Data Source: Windows Security Event Logs",
 69    "Data Source: Sysmon",
 70    "Data Source: SentinelOne",
 71    "Data Source: Microsoft Defender for Endpoint",
 72    "Resources: Investigation Guide",
 73]
 74timestamp_override = "event.ingested"
 75type = "eql"
 76
 77query = '''
 78process where host.os.type == "windows" and event.type == "start" and
 79 process.name : "cmd.exe" and
 80 (
 81
 82  process.command_line : ("*).Run(*", "*GetObject*", "* curl*regsvr32*", "*echo*wscript*", "*echo*ZONE.identifier*",
 83  "*ActiveXObject*", "*dir /s /b *echo*", "*unescape(*",  "*findstr*TVNDRgAAAA*", "*findstr*passw*", "*start*\\\\*\\DavWWWRoot\\*",
 84  "* explorer*%CD%*", "*%cd%\\*.js*", "*attrib*%CD%*", "*/?cMD<*", "*/AutoIt3ExecuteScript*..*", "*&cls&cls&cls&cls&cls&*",
 85  "*&#*;&#*;&#*;&#*;*", "* &&s^eT*", "*& ChrW(*", "*&explorer /root*", "*start __ & __\\*", "*findstr /V /L *forfiles*",
 86  "*=wscri& set *", "*http*!COmpUternaME!*", "*start *.pdf * start /min cmd.exe /c *\\\\*", "*pip install*System.Net.WebClient*",
 87  "*Invoke-WebReques*Start-Process*", "*-command (Invoke-webrequest*", "*copy /b *\\\\* ping *-n*", "*echo*.ToCharArray*") or
 88
 89  (process.args : "echo" and process.parent.name : ("wscript.exe", "mshta.exe")) or
 90
 91  process.args : ("1>?:\\*.vbs", "1>?:\\*.js") or
 92
 93  (process.args : "explorer.exe" and process.args : "type" and process.args : ">" and process.args : "start") or
 94
 95  (process.parent.name : "explorer.exe" and
 96   process.command_line :
 97           ("*&&S^eT *",
 98            "*&& set *&& set *&& set *&& set *&& set *&& call*",
 99            "**\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??*")) or
100
101   (process.parent.name : "explorer.exe" and process.args : "copy" and process.args : "&&" and process.args : "\\\\*@*\\*")
102  ) and
103
104  /* false positives */
105  not (process.args : "%TEMP%\\Spiceworks\\*" and process.parent.name : "wmiprvse.exe") and
106  not process.parent.executable :
107                ("?:\\Perl64\\bin\\perl.exe",
108                 "?:\\Program Files\\nodejs\\node.exe",
109                 "?:\\Program Files\\HP\\RS\\pgsql\\bin\\pg_dumpall.exe",
110                 "?:\\Program Files (x86)\\PRTG Network Monitor\\64 bit\\PRTG Server.exe",
111                 "?:\\Program Files (x86)\\Spiceworks\\bin\\spiceworks-finder.exe",
112                 "?:\\Program Files (x86)\\Zuercher Suite\\production\\leds\\leds.exe",
113                 "?:\\Program Files\\Tripwire\\Agent\\Plugins\\twexec\\twexec.exe",
114                 "D:\\Agents\\?\\_work\\_tasks\\*\\SonarScanner.MSBuild.exe",
115                 "?:\\Program Files\\Microsoft VS Code\\Code.exe",
116                 "?:\\programmiweb\\NetBeans-*\\netbeans\\bin\\netbeans64.exe",
117                 "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
118                 "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
119                 "?:\\Program Files\\NetBeans-*\\netbeans\\bin\\netbeans*.exe",
120                 "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
121                 "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
122                 "?:\\Program Files (x86)\\Helpdesk Button\\button_gui.exe",
123                 "?:\\VTSPortable\\VTS\\jre\\bin\\javaw.exe",
124                 "?:\\Program Files\\Bot Framework Composer\\Bot Framework Composer.exe",
125                 "?:\\Program Files\\KMSYS Worldwide\\eQuate\\*\\SessionMgr.exe",
126                 "?:\\Program Files (x86)\\Craneware\\Pricing Analyzer\\Craneware.Pricing.Shell.exe",
127                 "?:\\Program Files (x86)\\jumpcloud-agent-app\\jumpcloud-agent-app.exe",
128                 "?:\\Program Files\\PostgreSQL\\*\\bin\\pg_dumpall.exe",
129                 "?:\\Program Files (x86)\\Vim\\vim*\\vimrun.exe") and
130  not (process.args :  "?:\\Program Files\\Citrix\\Secure Access Client\\nsauto.exe" and process.parent.name : "userinit.exe") and
131  not process.args :
132            ("?:\\Program Files (x86)\\PCMatic\\PCPitstopScheduleService.exe",
133             "?:\\Program Files (x86)\\AllesTechnologyAgent\\*",
134             "https://auth.axis.com/oauth2/oauth-authorize*") and
135  not process.command_line :
136               ("\"cmd\" /c %NETBEANS_MAVEN_COMMAND_LINE%",
137                "?:\\Windows\\system32\\cmd.exe /q /d /s /c \"npm.cmd ^\"install^\" ^\"--no-bin-links^\" ^\"--production^\"\"") and
138  not (process.name : "cmd.exe" and process.args : "%TEMP%\\Spiceworks\\*" and process.args : "http*/dataloader/persist_netstat_data") and
139  not (process.args == "echo" and process.args == "GEQ" and process.args == "1073741824")
140'''
141
142
143[[rule.threat]]
144framework = "MITRE ATT&CK"
145[[rule.threat.technique]]
146id = "T1059"
147name = "Command and Scripting Interpreter"
148reference = "https://attack.mitre.org/techniques/T1059/"
149[[rule.threat.technique.subtechnique]]
150id = "T1059.003"
151name = "Windows Command Shell"
152reference = "https://attack.mitre.org/techniques/T1059/003/"
153
154
155
156[rule.threat.tactic]
157id = "TA0002"
158name = "Execution"
159reference = "https://attack.mitre.org/tactics/TA0002/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Suspicious Windows Command Shell Arguments

The Windows Command Shell (cmd.exe) is a critical component for executing commands and scripts. Adversaries exploit it to execute malicious scripts, download payloads, or manipulate system settings. The detection rule identifies unusual command-line arguments and patterns indicative of such abuse, filtering out known benign processes to minimize false positives. This helps in early detection of potential threats by monitoring for suspicious command executions.

Possible investigation steps

  • Review the command line arguments associated with the cmd.exe process to identify any suspicious patterns or keywords such as "curl", "regsvr32", "wscript", or "Invoke-WebRequest" that may indicate malicious activity.
  • Check the parent process of the cmd.exe execution to determine if it is a known benign process or if it is associated with potentially malicious activity, especially if the parent process is explorer.exe or other unusual executables.
  • Investigate the user account associated with the cmd.exe process to determine if the activity aligns with the user's typical behavior or if it appears anomalous.
  • Examine the network activity of the host to identify any unusual outbound connections or data transfers that may correlate with the suspicious command execution.
  • Cross-reference the alert with other security logs or alerts from tools like Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and corroborate findings.
  • Assess the risk score and severity of the alert to prioritize the investigation and determine if immediate response actions are necessary.

False positive analysis

  • Processes related to Spiceworks and wmiprvse.exe can trigger false positives. Exclude these by adding exceptions for process arguments containing "%TEMP%\Spiceworks\*" when the parent process is wmiprvse.exe.
  • Development tools like Perl, Node.js, and NetBeans may cause false alerts. Exclude these by specifying their executable paths in the exception list.
  • Citrix Secure Access Client initiated by userinit.exe can be a false positive. Exclude this by adding an exception for process arguments containing "?:\Program Files\Citrix\Secure Access Client\nsauto.exe" with the parent process name as userinit.exe.
  • Scheduled tasks or services like PCPitstopScheduleService.exe may trigger alerts. Exclude these by adding their paths to the exception list.
  • Command-line operations involving npm or Maven commands can be benign. Exclude these by specifying command-line patterns like ""cmd" /c %NETBEANS_MAVEN_COMMAND_LINE%" in the exception list.

Response and remediation

  • Isolate the affected system from the network to prevent further spread of potential malware or unauthorized access.
  • Terminate any suspicious cmd.exe processes identified by the detection rule to halt malicious activity.
  • Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or scripts.
  • Review and restore any altered system settings or configurations to their original state to ensure system integrity.
  • Analyze the command-line arguments and parent processes involved in the alert to understand the scope and origin of the threat, and identify any additional compromised systems.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary.
  • Implement additional monitoring and detection rules to identify similar suspicious command-line activities in the future, enhancing the organization's ability to detect and respond to such threats promptly.

Related rules

to-top