Bypassing Security Controls - Command Shell
Adversaries bypass controls using the Windows Command Shell in a plethora of ways, but you can detect the one we see most often with a simple combination of process execution and a corresponding command line. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Bypassing Security Controls - Command Shell
2id: 2aaf3922-0a8b-4b7b-9c10-ea552bdff707
3status: experimental
4description: |
5 Adversaries bypass controls using the Windows Command Shell in a plethora of ways,
6 but you can detect the one we see most often with a simple combination of process
7 execution and a corresponding command line. Part of the RedCanary 2024 Threat
8 Detection Report.
9references:
10 - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
11author: RedCanary, Sigma formatting by Micah Babinski
12date: 2024/03/21
13tags:
14 - attack.execution
15 - attack.t1059
16 - attack.t1059.003
17 - attack.defense_evasion
18 - attack.t1202
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 Image|endswith: '\cmd.exe'
25 CommandLine|contains:
26 - 'bypass'
27 - '-exec'
28 condition: selection
29falsepositives:
30 - Unknown
31level: low```
References
-
Windows Command Shell is a favorite among adversaries because it can call on any executable on the system to execute batch files and more.
Read More
Related rules
- Obfuscated Commands - Command Shell
- Renamed NirCmd.EXE Execution
- Renamed PingCastle Binary Execution
- Renamed CURL.EXE Execution
- Suspicious Runscripthelper.exe