Attachment: cmd file extension

calendar Feb 9, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects messages containing CMD (Command Prompt) batch files, either as direct attachments or within compressed archives. CMD files can execute arbitrary system commands and are commonly used to deliver malware or perform unauthorized system modifications.

Sublime rule (View on GitHub)

 1name: "Attachment: cmd file extension"
 2description: "Detects messages containing CMD (Command Prompt) batch files, either as direct attachments or within compressed archives. CMD files can execute arbitrary system commands and are commonly used to deliver malware or perform unauthorized system modifications."
 3type: "rule"
 4severity: "low"
 5source: |
 6    type.inbound
 7    and length(attachments) > 0
 8    and any(attachments,
 9            .file_extension =~ "cmd"
10            or (
11              .file_extension in~ $file_extensions_common_archives
12              and any(file.explode(.), .file_extension =~ "cmd")
13            )
14    )    
15
16tags:
17 - "Attack surface reduction"
18attack_types:
19  - "Malware/Ransomware"
20tactics_and_techniques:
21  - "Scripting"
22detection_methods:
23  - "Archive analysis"
24  - "File analysis"
25id: "a902b8ed-b8ef-5232-b6bd-0fe915e6a161"

Related rules

to-top