Service Control Manager Spawning Command Shell with Suspect Strings
The following pseudo detector should generate an alert when services.exe spawns cmd.exe along with a corresponding echo or /c command, which are common attributes of post exploitation that we’ve seen in association with this technique. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Service Control Manager Spawning Command Shell with Suspect Strings
2id: cdf9f0ba-857a-4f91-9f30-724ade93b797
3status: experimental
4description: |
5 The following pseudo detector should generate an alert when services.exe spawns
6 cmd.exe along with a corresponding echo or /c command, which are common attributes
7 of post exploitation that we’ve seen in association with this technique. Part of
8 the RedCanary 2024 Threat Detection Report.
9references:
10 - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
11author: RedCanary, Sigma formatting by Micah Babinski
12date: 2024/03/21
13tags:
14 - attack.execution
15 - attack.t1059
16 - attack.t1059.003
17 - attack.t1569
18 - attack.t1569.002
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 ParentImage|endswith: '\services.exe'
25 Image|endswith: '\cmd.exe'
26 CommandLine|contains:
27 - 'echo'
28 - '/c'
29 condition: selection
30falsepositives:
31 - Unknown
32level: low```
References
-
Windows Command Shell is a favorite among adversaries because it can call on any executable on the system to execute batch files and more.
Read More
Related rules
- Bypassing Security Controls - Command Shell
- Obfuscated Commands - Command Shell
- SMBexec.py Execution
- Unusual or Suspicious Process Ancestry - Command Shell
- Windows Explorer Spawning Command Shell with Start and Exit Commands