Cmd.EXE Missing Space Characters Execution Anomaly

calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer).

Sigma rule (View on GitHub)

 1title: Cmd.EXE Missing Space Characters Execution Anomaly
 2id: a16980c2-0c56-4de0-9a79-17971979efdd
 3status: test
 4description: |
 5    Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.
 6    This could be a sign of obfuscation of a fat finger problem (typo by the developer).    
 7references:
 8    - https://twitter.com/cyb3rops/status/1562072617552678912
 9    - https://ss64.com/nt/cmd.html
10author: Florian Roth (Nextron Systems)
11date: 2022-08-23
12modified: 2023-03-06
13tags:
14    - attack.execution
15    - attack.t1059.001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection1:  # missing space before the /c
21        CommandLine|contains:
22            - 'cmd.exe/c'
23            - '\cmd/c'  # just cmd/c would be prone to false positives
24            - '"cmd/c'
25            - 'cmd.exe/k'
26            - '\cmd/k'  # just cmd/k would be prone to false positives
27            - '"cmd/k'
28            - 'cmd.exe/r'
29            - '\cmd/r'  # just cmd/r would be prone to false positives
30            - '"cmd/r'
31    selection2: # special cases verified via Virustotal Enterprise search
32        CommandLine|contains:
33            - '/cwhoami'
34            - '/cpowershell'
35            - '/cschtasks'
36            - '/cbitsadmin'
37            - '/ccertutil'
38            - '/kwhoami'
39            - '/kpowershell'
40            - '/kschtasks'
41            - '/kbitsadmin'
42            - '/kcertutil'
43    selection3:  # missing space after the /c
44        CommandLine|contains:
45            - 'cmd.exe /c'
46            - 'cmd /c'
47            - 'cmd.exe /k'
48            - 'cmd /k'
49            - 'cmd.exe /r'
50            - 'cmd /r'
51    filter_generic:
52        CommandLine|contains:
53            - 'cmd.exe /c '
54            - 'cmd /c '
55            - 'cmd.exe /k '
56            - 'cmd /k '
57            - 'cmd.exe /r '
58            - 'cmd /r '
59    filter_fp:
60        - CommandLine|contains: 'AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules'
61        - CommandLine|endswith: 'cmd.exe/c .'
62        - CommandLine: 'cmd.exe /c'
63    condition: 1 of selection* and not 1 of filter_*
64falsepositives:
65    - Unknown
66level: high

References

Related rules

to-top