Windows Explorer Spawning Command Shell with Start and Exit Commands
This detection analytic looks for instances of explorer.exe spawning cmd.exe along with corresponding start and exit commands that we commonly observe in conjunction with a wide variety of malicious activity. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Windows Explorer Spawning Command Shell with Start and Exit Commands
2id: ebb4eaad-9909-4785-a038-97bdee8aa5ae
3status: experimental
4description: |
5 This detection analytic looks for instances of explorer.exe spawning cmd.exe along
6 with corresponding start and exit commands that we commonly observe in conjunction
7 with a wide variety of malicious activity. Part of the RedCanary 2024 Threat
8 Detection Report.
9references:
10 - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
11author: RedCanary, Sigma formatting by Micah Babinski
12date: 2024/03/21
13tags:
14 - attack.execution
15 - attack.t1059
16 - attack.t1059.003
17 - attack.t1053
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 ParentImage|endswith: '\explorer.exe'
24 Image|endswith: '\cmd.exe'
25 CommandLine|contains|all:
26 - 'start'
27 - 'exit'
28 condition: selection
29falsepositives:
30 - Unknown
31level: low```
References
-
Windows Command Shell is a favorite among adversaries because it can call on any executable on the system to execute batch files and more.
Read More
Related rules
- Windows Scheduled Task Creating Shell
- Bypassing Security Controls - Command Shell
- Obfuscated Commands - Command Shell
- Service Control Manager Spawning Command Shell with Suspect Strings
- Unusual or Suspicious Process Ancestry - Command Shell