Command Shell Bypassing Security Controls
Detects common ways to bypass controls using Windows Command Shell. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Command Shell Bypassing Security Controls
2id: 188b256a-4344-47fb-88ed-6343b37c4999
3status: experimental
4description: Detects common ways to bypass controls using Windows Command Shell. Inspired
5 by the 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
8author: Micah Babinski
9date: 2022/11/03
10tags:
11 - attack.execution
12 - attack.t1059.003
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\cmd.exe'
19 CommandLine|contains|windash:
20 - 'bypass'
21 - '-exec'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high```
References
-
Windows Command Shell is a favorite among adversaries because it can call on any executable on the system to execute batch files and more.
Read More
Related rules
- Command Shell Obfuscated Commands
- Command Shell Unusual or Suspicious Process Ancestry
- Powershell Obfuscation and Escape Characters
- Base64 Encoding in CMD or Powershell
- Gootloader Stage 2 Registry Key Creation