Command Shell Obfuscated Commands
Looks for the execution of Windows Command Shell with unusually high counts of characters used for obfuscation. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Command Shell Obfuscated Commands
2id: a30afe67-bde7-450f-a143-96a1a86d26d9
3status: experimental
4description: Looks for the execution of Windows Command Shell with unusually high
5 counts of characters used for obfuscation. Inspired by the 2022 Red Canary Threat
6 Detection report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
9author: Micah Babinski
10date: 2022/11/03
11tags:
12 - attack.execution
13 - attack.t1059.003
14 - attack.defense_evasion
15 - attack.t1027
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 condition: selection
21 selection:
22 Image|endswith: '\cmd.exe'
23 # regex below looks for eight or more total instances of the suspicious characters
24 CommandLine|re: '^([^^=%![(; ]*[\^=%![(; ]){8,}[^^=%![(; ]*$'
25falsepositives:
26 - Legitimate processes with long or convoluted command lines.
27level: high```
References
-
Windows Command Shell is a favorite among adversaries because it can call on any executable on the system to execute batch files and more.
Read More
Related rules
- Powershell Obfuscation and Escape Characters
- Base64 Encoding in CMD or Powershell
- Command Shell Bypassing Security Controls
- Command Shell Unusual or Suspicious Process Ancestry
- Gootloader Stage 2 Registry Key Creation