Explorer Spawning CMD With Start/Exit Commands (RedCanary Threat Detection Report)
Detects instances of explorer.exe spawning cmd.exe along with corresponding start and exit commands that we commonly observe in conjunction with a wide variety of malicious activity. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Explorer Spawning CMD With Start/Exit Commands (RedCanary Threat Detection Report)
2id: c4e301d9-9f2d-4a81-9c98-60596edb55a3
3status: experimental
4description: |
5 Detects instances of explorer.exe spawning cmd.exe along with corresponding start and
6 exit commands that we commonly observe in conjunction with a wide variety of malicious
7 activity. Part of the RedCanary 2023 Threat Detection Report.
8references:
9 - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
10author: RedCanary, Sigma formatting by Micah Babinski
11date: 2023/05/10
12tags:
13 - attack.execution
14 - attack.t1059.003
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|endswith: '\explorer.exe'
21 Image|endswith: '\cmd.exe'
22 CommandLine|contains|all:
23 - 'start'
24 - 'exit'
25 condition: selection
26falsepositives:
27 - Unknown
28level: low```
References
-
Windows Command Shell is a favorite among adversaries because it can call on any executable on the system to execute batch files and more.
Read More
Related rules
- Command Shell Bypassing Security Controls (RedCanary Threat Detection Report)
- Command Shell Obfuscated Commands (RedCanary Threat Detection Report)
- Command Shell Suspicious Process Ancestry (RedCanary Threat Detection Report)
- Service Control Manager Spawning Command Shell (RedCanary Threat Detection Report)
- Windows Scheduled Task Create Shell (RedCanary Threat Detection Report)