Command Shell Suspicious Process Ancestry (RedCanary Threat Detection Report)

 1title: Command Shell Suspicious Process Ancestry (RedCanary Threat Detection Report)
 2id: 60cb2beb-d2ba-4a47-ad68-e97576985c70
 3status: experimental
 4description: Detects IIS worker process spawning command shell. Part of the RedCanary 2023 Threat Detection Report.
 5references:
 6    - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
 7author: RedCanary, Sigma formatting by Micah Babinski
 8date: 2023/05/10
 9tags:
10    - attack.execution
11    - attack.t1059.003
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        ParentImage|endswith:
18            - '\w3wp.exe'
19            - '\wmiprvse.exe'
20        Image|endswith: '\cmd.exe'
21        CommandLine|contains:
22            - 'http://'
23            - 'https://'
24            - 'echo'
25    condition: selection
26falsepositives:
27    - Unknown
28level: low```

References

• Red Canary analyzes how Windows Command Shell is used by adversaries

  

  Windows Command Shell is a favorite among adversaries because it can call on any executable on the system to execute batch files and more.

  
  Read More

Related rules

• Command Shell Bypassing Security Controls (RedCanary Threat Detection Report)
• Command Shell Obfuscated Commands (RedCanary Threat Detection Report)
• Explorer Spawning CMD With Start/Exit Commands (RedCanary Threat Detection Report)
• Service Control Manager Spawning Command Shell (RedCanary Threat Detection Report)
• Windows Scheduled Task Create Shell (RedCanary Threat Detection Report)