Suspicious Windows Command Shell Arguments

  1[metadata]
  2creation_date = "2024/09/06"
  3integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior
 11is often observed during malware installation.
 12"""
 13from = "now-9m"
 14index = [
 15    "logs-crowdstrike.fdr*",
 16    "logs-m365_defender.event-*",
 17    "logs-sentinel_one_cloud_funnel.*",
 18    "logs-system.security*",
 19    "logs-windows.forwarded*",
 20    "logs-windows.sysmon_operational-*",
 21    "winlogbeat-*",
 22    "endgame-*",
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Suspicious Windows Command Shell Arguments"
 27risk_score = 73
 28rule_id = "d9ffc3d6-9de9-4b29-9395-5757d0695ecf"
 29severity = "high"
 30tags = [
 31    "Domain: Endpoint",
 32    "OS: Windows",
 33    "Use Case: Threat Detection",
 34    "Tactic: Execution",
 35    "Resources: Investigation Guide",
 36    "Data Source: Windows Security Event Logs",
 37    "Data Source: Sysmon",
 38    "Data Source: SentinelOne",
 39    "Data Source: Microsoft Defender XDR",
 40    "Data Source: Elastic Endgame",
 41    "Data Source: Crowdstrike",
 42]
 43timestamp_override = "event.ingested"
 44type = "eql"
 45
 46query = '''
 47process where host.os.type == "windows" and event.type == "start" and
 48  process.name : "cmd.exe" and
 49  (
 50    process.command_line : (
 51        "*).Run(*", "*GetObject*", "* curl*regsvr32*", "*echo*wscript*", "*echo*ZONE.identifier*",
 52        "*ActiveXObject*", "*dir /s /b *echo*", "*unescape(*",  "*findstr*TVNDRgAAAA*", "*findstr*passw*", "*start*\\\\*\\DavWWWRoot\\*",
 53        "* explorer*%CD%*", "*%cd%\\*.js*", "*attrib*%CD%*", "*/?cMD<*", "*/AutoIt3ExecuteScript*..*", "*&cls&cls&cls&cls&cls&*",
 54        "*&#*;&#*;&#*;&#*;*", "* &&s^eT*", "*& ChrW(*", "*&explorer /root*", "*start __ & __\\*", "*findstr /V /L *forfiles*",
 55        "*=wscri& set *", "*http*!COmpUternaME!*", "*start *.pdf * start /min cmd.exe /c *\\\\*", "*pip install*System.Net.WebClient*",
 56        "*Invoke-WebReques*Start-Process*", "*-command (Invoke-webrequest*", "*copy /b *\\\\* ping *-n*", "*echo*.ToCharArray*"
 57    ) or
 58
 59    (process.args : "echo" and process.parent.name : ("wscript.exe", "mshta.exe")) or
 60    
 61    process.args : ("1>?:\\*.vbs", "1>?:\\*.js") or
 62
 63    (process.args : "explorer.exe" and process.args : "type" and process.args : ">" and process.args : "start") or
 64
 65    (
 66      process.parent.name : "explorer.exe" and
 67      process.command_line : (
 68        "*&&S^eT *",
 69        "*&& set *&& set *&& set *&& set *&& set *&& call*",
 70        "**\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??*"
 71      )
 72    ) or
 73
 74    (process.parent.name : "explorer.exe" and process.args : "copy" and process.args : "&&" and process.args : "\\\\*@*\\*")
 75  ) and
 76
 77  /* false positives */
 78  not (process.args : "%TEMP%\\Spiceworks\\*" and process.parent.name : "wmiprvse.exe") and
 79  not ?process.parent.executable : (
 80        "?:\\Perl64\\bin\\perl.exe",
 81        "?:\\Program Files\\nodejs\\node.exe",
 82        "?:\\Program Files\\HP\\RS\\pgsql\\bin\\pg_dumpall.exe",
 83        "?:\\Program Files (x86)\\PRTG Network Monitor\\64 bit\\PRTG Server.exe",
 84        "?:\\Program Files (x86)\\Spiceworks\\bin\\spiceworks-finder.exe",
 85        "?:\\Program Files (x86)\\Zuercher Suite\\production\\leds\\leds.exe",
 86        "?:\\Program Files\\Tripwire\\Agent\\Plugins\\twexec\\twexec.exe",
 87        "D:\\Agents\\?\\_work\\_tasks\\*\\SonarScanner.MSBuild.exe",
 88        "?:\\Program Files\\Microsoft VS Code\\Code.exe",
 89        "?:\\programmiweb\\NetBeans-*\\netbeans\\bin\\netbeans64.exe",
 90        "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
 91        "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
 92        "?:\\Program Files\\NetBeans-*\\netbeans\\bin\\netbeans*.exe",
 93        "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
 94        "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
 95        "?:\\Program Files (x86)\\Helpdesk Button\\button_gui.exe",
 96        "?:\\VTSPortable\\VTS\\jre\\bin\\javaw.exe",
 97        "?:\\Program Files\\Bot Framework Composer\\Bot Framework Composer.exe",
 98        "?:\\Program Files\\KMSYS Worldwide\\eQuate\\*\\SessionMgr.exe",
 99        "?:\\Program Files (x86)\\Craneware\\Pricing Analyzer\\Craneware.Pricing.Shell.exe",
100        "?:\\Program Files (x86)\\jumpcloud-agent-app\\jumpcloud-agent-app.exe",
101        "?:\\Program Files\\PostgreSQL\\*\\bin\\pg_dumpall.exe",
102        "?:\\Program Files (x86)\\Vim\\vim*\\vimrun.exe") and
103  not (
104        /* Crowdstrike doesn't populate process.parent.executable */
105        data_stream.dataset == "crowdstrike.fdr" and
106        process.parent.name : (
107          "perl.exe", "node.exe", "pg_dumpall.exe", "PRTG Server.exe", "spiceworks-finder.exe", "leds.exe", "twexec.exe",
108          "SonarScanner.MSBuild.exe", "Code.exe", "netbeans64.exe", "javaw.exe", "Bot Framework Composer.exe", "SessionMgr.exe",
109          "Craneware.Pricing.Shell.exe", "jumpcloud-agent-app.exe", "vimrun.exe"
110        )
111      ) and
112  not (process.args :  "?:\\Program Files\\Citrix\\Secure Access Client\\nsauto.exe" and process.parent.name : "userinit.exe") and
113  not process.args : (
114        "?:\\Program Files (x86)\\PCMatic\\PCPitstopScheduleService.exe",
115        "?:\\Program Files (x86)\\AllesTechnologyAgent\\*",
116        "https://auth.axis.com/oauth2/oauth-authorize*"
117  ) and
118  not process.command_line : (
119    "\"cmd\" /c %NETBEANS_MAVEN_COMMAND_LINE%",
120    "?:\\Windows\\system32\\cmd.exe /q /d /s /c \"npm.cmd ^\"install^\" ^\"--no-bin-links^\" ^\"--production^\"\""
121  ) and
122  not (process.name : "cmd.exe" and process.args : "%TEMP%\\Spiceworks\\*" and process.args : "http*/dataloader/persist_netstat_data") and
123  not (process.args == "echo" and process.args == "GEQ" and process.args == "1073741824")
124'''
125
126note = """## Triage and analysis
127
128### Investigating Suspicious Windows Command Shell Arguments
129
130#### Possible investigation steps
131
132- What abuse path and launch context does the alerting "cmd.exe" show?
133  - Focus: `process.command_line`, `process.args`, `process.executable`, `process.parent.executable`, and `process.parent.command_line`; classify reconstruction, remote retrieval, WebDAV or UNC execution, obfuscated environment setup, or handoff to "regsvr32.exe", "wscript.exe", "mshta.exe", PowerShell, or AutoIt.
134  - Implication: escalate when the command reconstructs scripts, pulls remote content, starts from a remote share, chains to proxy execution, runs from a non-native path, or has a parent conflicting with command purpose; lower suspicion only when parent-command, user-host, child, artifact, and destination evidence form one consistent current activity. Identity or recurrence alone does not clear suspicious arguments.
135
136- Did the same "cmd.exe" instance launch a second stage?
137  - Focus: child starts where `host.id` and `process.parent.entity_id` map to `process.entity_id`; review child `process.executable` and `process.command_line`. $investigate_2
138  - Hint: if `process.entity_id` is absent, use `host.id` plus `process.pid` in a tight alert-time window.
139  - Implication: escalate when the shell launches PowerShell, "regsvr32.exe", "wscript.exe", "mshta.exe", archive tools, script files, or newly staged payloads; lower suspicion when no child follows or stays inside the parent directory or command-named output path.
140
141- If endpoint file telemetry is available, did the shell reconstruct or stage executable content?
142  - Focus: file activity tied to `process.entity_id` or, if needed, `host.id` plus `process.pid`, checking `file.path`, `file.Ext.original.path`, `file.Ext.header_bytes`, and `file.Ext.windows.zone_identifier`. $investigate_4
143  - Implication: escalate when the shell writes scriptable files, rebuilds archive or PE content, renames staged payloads, or leaves internet-marked content in temp, public, or user-writable paths; lower suspicion when paths stay under the parent directory or command-named output path and no written content later executes. Missing file telemetry is unresolved, not benign.
144
145- If endpoint network telemetry is available, did the shell retrieve content or execute from WebDAV or UNC infrastructure?
146  - Focus: process-scoped DNS and connections for `host.id` and `process.entity_id`; compare DNS `dns.question.name` or `dns.resolved_ip` and connection `destination.ip` or `destination.port` with UNC, "DavWWWRoot", or URL fragments in `process.command_line`. $investigate_3
147  - Hint: if `dns.resolved_ip` is present, correlate it to `destination.ip` on the same host and process before judging the destination.
148  - Implication: escalate when the shell reaches rare public hosts, unexpected WebDAV endpoints, or shares unrelated to the parent; lower suspicion when DNS and connections match the share, URL, or host pattern visible in the command and parent. Missing network telemetry is unresolved, not benign.
149
150- If local findings remain suspicious or unresolved, does the pattern recur on the same host or user?
151  - Focus: recent alerts for the same `host.id`, emphasizing execution, delivery, persistence, or proxy-execution detections that reuse the same command-shell pattern. $investigate_0
152  - Hint: if the host is shared or quiet, compare recent alerts for the same `user.id` to test whether the user carries the pattern to other systems. $investigate_1
153  - Implication: broaden scope when the same host or user also shows delivery, shell, or persistence alerts; keep local when related alerts are clean and telemetry binds one parent-command, child, artifact, destination, and user-host tuple.
154
155- What disposition does the parent-command, child, artifact, destination, and user-host tuple support?
156  - Escalate for staged execution, remote retrieval, script reconstruction, proxy execution, or broader compromise; close only when alert-local command, parent, child, artifact, destination, user-host, and related-alert evidence bind one exact benign tuple with no contradictions. Preserve evidence and escalate on conflicts or incomplete visibility.
157
158### False positive analysis
159
160- Packaging, build, installer, or developer activity can use "cmd.exe" to reconstruct files, call package managers, or hand off to helper utilities. Confirm `process.parent.executable`, `process.parent.command_line`, `process.command_line`, `user.id`, and `host.id` align with the same current parent path, helper command, package cache, build output, or database-export output, and that recovered child, file, or destination evidence does not conflict. Build records or change tickets are corroboration only.
161- Remote-support or software-distribution activity can reference UNC paths or "DavWWWRoot". When network or file telemetry exists, confirm `process.command_line`, `process.parent.executable`, `host.id`, and any recovered `dns.question.name`, `destination.ip`, or `file.path` stay inside one current distribution share, vendor endpoint, support-client cache, or deployment path and no unexpected child appears. Missing file or network telemetry is unresolved, not benign. Support records or inventories are corroboration only.
162- Before creating an exception, validate that the same `process.parent.executable`, `process.command_line`, `user.id`, `host.id`, and recovered artifact or destination anchors recur across prior alerts from this rule. Avoid exceptions on "cmd.exe" alone, one argument token, one destination, or parent name.
163
164### Response and remediation
165
166- If confirmed benign, reverse temporary containment and document the parent command, alerting command, user-host scope, and recovered artifact or destination evidence. Create an exception only after the same tuple is stable across prior alerts from this rule.
167- If suspicious but unconfirmed, preserve the alert, Timeline records, full command lines, process tree, recovered child details, staged files, and DNS or connection evidence before destructive action. Apply reversible containment first, such as temporary destination restrictions or heightened monitoring on `host.id` and `user.id`; isolate only when follow-on execution, staged payloads, or remote retrieval justifies disruption.
168- If confirmed malicious, isolate the host when identity, lineage, artifact, or destination evidence establishes unauthorized execution, then block confirmed malicious domains, destinations, or hashes. Record malicious shell and child identifiers before termination, scope related hosts and users before artifact removal, then remove only the scripts, archives, rebuilt payloads, persistence artifacts, or launcher components identified during the investigation.
169- Post-incident hardening: retain process, file, and network telemetry. If browser, explorer, script-host, or AutoIt launch paths were involved, review controls for user-driven shell launches; if WebDAV, UNC, or URL retrieval was involved, review remote-share and WebDAV execution controls. Note adjacent "mshta.exe", "wscript.exe", "regsvr32.exe", PowerShell, AutoIt, and explorer-driven clickfix-style variants for future triage.
170"""
171
172setup = """## Setup
173
174This rule requires telemetry from one of the configured source integrations to be enabled and ingested.
175
176### Supported data sources
177
178This rule can use the following data sources. For setup instructions, refer to the links below:
179
180- [CrowdStrike](https://ela.st/crowdstrike-integration)
181- [Microsoft Defender XDR](https://ela.st/m365-defender)
182- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
183- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
184- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
185"""
186
187[rule.investigation_fields]
188field_names = [
189    "@timestamp",
190    "host.id",
191    "user.id",
192    "process.entity_id",
193    "process.pid",
194    "process.executable",
195    "process.command_line",
196    "process.args",
197    "process.parent.name",
198    "process.parent.executable",
199    "process.parent.command_line",
200    "process.parent.args",
201]
202
203[transform]
204
205[[transform.investigate]]
206label = "Alerts associated with the host"
207description = ""
208providers = [
209  [
210    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
211    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
212  ]
213]
214relativeFrom = "now-48h/h"
215relativeTo = "now"
216
217[[transform.investigate]]
218label = "Alerts associated with the user"
219description = ""
220providers = [
221  [
222    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
223    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
224  ]
225]
226relativeFrom = "now-48h/h"
227relativeTo = "now"
228
229[[transform.investigate]]
230label = "Child process starts from the same cmd.exe instance"
231description = ""
232providers = [
233  [
234    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
235    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
236    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
237  ],
238  [
239    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
240    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
241    { excluded = false, field = "process.parent.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
242  ]
243]
244relativeFrom = "now-1h"
245relativeTo = "now"
246
247[[transform.investigate]]
248label = "Network activity for the alerting cmd.exe instance"
249description = ""
250providers = [
251  [
252    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
253    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
254    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
255  ],
256  [
257    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
258    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" },
259    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
260  ]
261]
262relativeFrom = "now-1h"
263relativeTo = "now"
264
265[[transform.investigate]]
266label = "File activity for the alerting cmd.exe instance"
267description = ""
268providers = [
269  [
270    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
271    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
272    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
273  ],
274  [
275    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
276    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" },
277    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
278  ]
279]
280relativeFrom = "now-1h"
281relativeTo = "now"
282
283[[rule.threat]]
284framework = "MITRE ATT&CK"
285
286[[rule.threat.technique]]
287id = "T1059"
288name = "Command and Scripting Interpreter"
289reference = "https://attack.mitre.org/techniques/T1059/"
290
291[[rule.threat.technique.subtechnique]]
292id = "T1059.003"
293name = "Windows Command Shell"
294reference = "https://attack.mitre.org/techniques/T1059/003/"
295
296[rule.threat.tactic]
297id = "TA0002"
298name = "Execution"
299reference = "https://attack.mitre.org/tactics/TA0002/"
300
301[[rule.threat]]
302framework = "MITRE ATT&CK"
303
304[[rule.threat.technique]]
305id = "T1105"
306name = "Ingress Tool Transfer"
307reference = "https://attack.mitre.org/techniques/T1105/"
308
309[rule.threat.tactic]
310id = "TA0011"
311name = "Command and Control"
312reference = "https://attack.mitre.org/tactics/TA0011/"
313
314[[rule.threat]]
315framework = "MITRE ATT&CK"
316
317[[rule.threat.technique]]
318id = "T1027"
319name = "Obfuscated Files or Information"
320reference = "https://attack.mitre.org/techniques/T1027/"
321
322[[rule.threat.technique]]
323id = "T1218"
324name = "System Binary Proxy Execution"
325reference = "https://attack.mitre.org/techniques/T1218/"
326
327[[rule.threat.technique.subtechnique]]
328id = "T1218.005"
329name = "Mshta"
330reference = "https://attack.mitre.org/techniques/T1218/005/"
331
332[[rule.threat.technique.subtechnique]]
333id = "T1218.010"
334name = "Regsvr32"
335reference = "https://attack.mitre.org/techniques/T1218/010/"
336
337[rule.threat.tactic]
338id = "TA0005"
339name = "Defense Evasion"
340reference = "https://attack.mitre.org/tactics/TA0005/"