Command Shell Obfuscated Commands (RedCanary Threat Detection Report)
Detects command line strings with high numbers of suspicious characters, potentially for obfuscation. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Command Shell Obfuscated Commands (RedCanary Threat Detection Report)
2id: b6aed14c-95a2-4e03-9949-70bc73c08b64
3status: experimental
4description: Detects command line strings with high numbers of suspicious characters, potentially for obfuscation. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.execution
11 - attack.t1059.003
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\cmd.exe'
18 # regex below looks for eight or more total instances of the suspicious characters
19 CommandLine|re: '^([^^=%![(; ]*[\^=%![(; ]){8,}[^^=%![(; ]*$'
20 condition: selection
21falsepositives:
22 - Legitimate processes with long or convoluted command lines.
23level: low```
References
-
Windows Command Shell is a favorite among adversaries because it can call on any executable on the system to execute batch files and more.
Read More
Related rules
- Command Shell Bypassing Security Controls (RedCanary Threat Detection Report)
- Command Shell Suspicious Process Ancestry (RedCanary Threat Detection Report)
- Explorer Spawning CMD With Start/Exit Commands (RedCanary Threat Detection Report)
- Service Control Manager Spawning Command Shell (RedCanary Threat Detection Report)
- Windows Scheduled Task Create Shell (RedCanary Threat Detection Report)