Cmd Launched with Hidden Start Flags to Suspicious Targets

calendar Jan 26, 2026 · attack.defense-evasion attack.t1564.003  ·
Share on: linkedin copy

Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags. To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories. This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.

Sigma rule (View on GitHub)

 1title: Cmd Launched with Hidden Start Flags to Suspicious Targets
 2id: 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
 3status: experimental
 4description: |
 5    Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags.
 6    To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories.
 7    This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.    
 8references:
 9    - https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous
10    - https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
11    - https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one
12    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start
13tags:
14    - attack.defense-evasion
15    - attack.t1564.003
16author: Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems)
17date: 2026-01-24
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_cmd_img:
23        - Image|endswith: '\cmd.exe'
24        - OriginalFileName: 'Cmd.Exe'
25    selection_cmd_hidden_start_1:
26        CommandLine|contains|windash:
27            - 'start '
28            - 'start/b'
29            - 'start/min'
30    selection_cmd_hidden_start_2:
31        CommandLine|contains|windash:
32            - '/b '
33            - '/b"'
34            - '/min '
35            - '/min"'
36    selection_cli_uncommon_location:
37        CommandLine|contains:
38            - ':\Perflogs\'
39            - ':\Temp\'
40            - ':\Users\Default\'
41            - ':\Windows\Temp\'
42            - '\AppData\Roaming\'
43            - '\Contacts\'
44            - '\Documents\'
45            - '\Downloads\'
46            - '\Favorites\'
47            - '\Favourites\'
48            - '\inetpub\'
49            - '\Music\'
50            - '\Photos\'
51            - '\Temporary Internet\'
52            - '\Users\Public\'
53            - '\Videos\'
54    selection_cli_susp_extension:
55        CommandLine|contains:
56            - '.bat'
57            - '.cmd'
58            - '.cpl'
59            - '.hta'
60            - '.js'
61            - '.ps1'
62            - '.scr'
63            - '.vbe'
64            - '.vbs'
65    selection_cli_susp_pattern:
66        CommandLine|contains:
67            - ' -nop '
68            - ' -sta '
69            - '.downloadfile(' # PowerShell download command
70            - '.downloadstring(' # PowerShell download command
71            - '-noni '
72            - '-w hidden '
73    condition: all of selection_cmd_* and 1 of selection_cli_*
74falsepositives:
75    - Legitimate administrative scripts running from temporary folders.
76    - Niche software updaters utilizing hidden batch files in ProgramData.
77level: medium # Can be increased after an initial baseline and tuning
78regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml

References

Related rules

to-top