Suspicious Windows Command Shell Arguments

Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior is often observed during malware installation.

Rule type: eql

Rule indices:

winlogbeat-*
logs-windows.*
logs-system.security*
logs-windows.sysmon_operational-*
logs-sentinel_one_cloud_funnel.*
logs-m365_defender.event-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: System
Data Source: Sysmon
Data Source: SentinelOne
Data Source: Microsoft Defender for Endpoint

Version: 201

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

process where host.os.type == "windows" and event.type == "start" and
 process.name : "cmd.exe" and
 (

  process.command_line : ("*).Run(*", "*GetObject*", "* curl*regsvr32*", "*echo*wscript*", "*echo*ZONE.identifier*",
  "*ActiveXObject*", "*dir /s /b *echo*", "*unescape(*",  "*findstr*TVNDRgAAAA*", "*findstr*passw*", "*start*\\\\*\\DavWWWRoot\\*",
  "* explorer*%CD%*", "*%cd%\\*.js*", "*attrib*%CD%*", "*/?cMD<*", "*/AutoIt3ExecuteScript*..*", "*&cls&cls&cls&cls&cls&*",
  "*&#*;&#*;&#*;&#*;*", "* &&s^eT*", "*& ChrW(*", "*&explorer /root*", "*start __ & __\\*", "*findstr /V /L *forfiles*",
  "*=wscri& set *", "*http*!COmpUternaME!*", "*start *.pdf * start /min cmd.exe /c *\\\\*", "*pip install*System.Net.WebClient*",
  "*Invoke-WebReques*Start-Process*", "*-command (Invoke-webrequest*", "*copy /b *\\\\* ping *-n*", "*echo*.ToCharArray*") or

  (process.args : "echo" and process.parent.name : ("wscript.exe", "mshta.exe")) or

  process.args : ("1>?:\\*.vbs", "1>?:\\*.js") or

  (process.args : "explorer.exe" and process.args : "type" and process.args : ">" and process.args : "start") or

  (process.parent.name : "explorer.exe" and
   process.command_line :
           ("*&&S^eT *",
            "*&& set *&& set *&& set *&& set *&& set *&& call*",
            "**\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??*")) or

   (process.parent.name : "explorer.exe" and process.args : "copy" and process.args : "&&" and process.args : "\\\\*@*\\*")
  ) and

  /* false positives */
  not (process.args : "%TEMP%\\Spiceworks\\*" and process.parent.name : "wmiprvse.exe") and
  not process.parent.executable :
                ("?:\\Perl64\\bin\\perl.exe",
                 "?:\\Program Files\\nodejs\\node.exe",
                 "?:\\Program Files\\HP\\RS\\pgsql\\bin\\pg_dumpall.exe",
                 "?:\\Program Files (x86)\\PRTG Network Monitor\\64 bit\\PRTG Server.exe",
                 "?:\\Program Files (x86)\\Spiceworks\\bin\\spiceworks-finder.exe",
                 "?:\\Program Files (x86)\\Zuercher Suite\\production\\leds\\leds.exe",
                 "?:\\Program Files\\Tripwire\\Agent\\Plugins\\twexec\\twexec.exe",
                 "D:\\Agents\\?\\_work\\_tasks\\*\\SonarScanner.MSBuild.exe",
                 "?:\\Program Files\\Microsoft VS Code\\Code.exe",
                 "?:\\programmiweb\\NetBeans-*\\netbeans\\bin\\netbeans64.exe",
                 "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
                 "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
                 "?:\\Program Files\\NetBeans-*\\netbeans\\bin\\netbeans*.exe",
                 "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
                 "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
                 "?:\\Program Files (x86)\\Helpdesk Button\\button_gui.exe",
                 "?:\\VTSPortable\\VTS\\jre\\bin\\javaw.exe",
                 "?:\\Program Files\\Bot Framework Composer\\Bot Framework Composer.exe",
                 "?:\\Program Files\\KMSYS Worldwide\\eQuate\\*\\SessionMgr.exe",
                 "?:\\Program Files (x86)\\Craneware\\Pricing Analyzer\\Craneware.Pricing.Shell.exe",
                 "?:\\Program Files (x86)\\jumpcloud-agent-app\\jumpcloud-agent-app.exe",
                 "?:\\Program Files\\PostgreSQL\\*\\bin\\pg_dumpall.exe",
                 "?:\\Program Files (x86)\\Vim\\vim*\\vimrun.exe") and
  not (process.args :  "?:\\Program Files\\Citrix\\Secure Access Client\\nsauto.exe" and process.parent.name : "userinit.exe") and
  not process.args :
            ("?:\\Program Files (x86)\\PCMatic\\PCPitstopScheduleService.exe",
             "?:\\Program Files (x86)\\AllesTechnologyAgent\\*",
             "https://auth.axis.com/oauth2/oauth-authorize*") and
  not process.command_line :
               ("\"cmd\" /c %NETBEANS_MAVEN_COMMAND_LINE%",
                "?:\\Windows\\system32\\cmd.exe /q /d /s /c \"npm.cmd ^\"install^\" ^\"--no-bin-links^\" ^\"--production^\"\"") and
  not (process.name : "cmd.exe" and process.args : "%TEMP%\\Spiceworks\\*" and process.args : "http*/dataloader/persist_netstat_data") and
  not (process.args == "echo" and process.args == "GEQ" and process.args == "1073741824")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
Sub-technique:
- Name: Windows Command Shell
- ID: T1059.003
- Reference URL: https://attack.mitre.org/techniques/T1059/003/

« Suspicious WerFault Child Process Suspicious Windows Powershell Arguments »