Command Shell Bypassing Security Controls (RedCanary Threat Detection Report)
Detects command line strings which indicate potential attempts to bypass controls. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Command Shell Bypassing Security Controls (RedCanary Threat Detection Report)
2id: e76af6c9-1c66-4ed7-9a36-b2f905e2e78c
3status: experimental
4description: Detects command line strings which indicate potential attempts to bypass controls. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.execution
11 - attack.t1059.003
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\cmd.exe'
18 CommandLine|contains:
19 - 'bypass'
20 - '-exec'
21 condition: selection
22falsepositives:
23 - Unknown
24level: low```
References
-
Windows Command Shell is a favorite among adversaries because it can call on any executable on the system to execute batch files and more.
Read More
Related rules
- Command Shell Obfuscated Commands (RedCanary Threat Detection Report)
- Command Shell Suspicious Process Ancestry (RedCanary Threat Detection Report)
- Explorer Spawning CMD With Start/Exit Commands (RedCanary Threat Detection Report)
- Service Control Manager Spawning Command Shell (RedCanary Threat Detection Report)
- Windows Scheduled Task Create Shell (RedCanary Threat Detection Report)