Service Control Manager Spawning Command Shell (RedCanary Threat Detection Report)
Detects suspect command line strings in CMD processes spawned by services.exe. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Service Control Manager Spawning Command Shell (RedCanary Threat Detection Report)
2id: 80f850be-12ea-4bb8-b000-6e485dc821f5
3status: experimental
4description: |
5 Detects suspect command line strings in CMD processes spawned by services.exe.
6 Part of the RedCanary 2023 Threat Detection Report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2023/05/10
11tags:
12 - attack.execution
13 - attack.t1059.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\services.exe'
20 Image|endswith: '\cmd.exe'
21 CommandLine|contains|windash:
22 - 'echo'
23 - '/c'
24 condition: selection
25falsepositives:
26 - Unknown
27level: low```
References
-
Windows Command Shell is a favorite among adversaries because it can call on any executable on the system to execute batch files and more.
Read More
Related rules
- Command Shell Bypassing Security Controls (RedCanary Threat Detection Report)
- Command Shell Obfuscated Commands (RedCanary Threat Detection Report)
- Command Shell Suspicious Process Ancestry (RedCanary Threat Detection Report)
- Explorer Spawning CMD With Start/Exit Commands (RedCanary Threat Detection Report)
- Windows Scheduled Task Create Shell (RedCanary Threat Detection Report)