Suspicious Windows Command Shell Arguments

edit

Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior is often observed during malware installation.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-windows.*
  • logs-system.security*
  • logs-windows.sysmon_operational-*
  • logs-sentinel_one_cloud_funnel.*
  • logs-m365_defender.event-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Execution
  • Data Source: System
  • Data Source: Sysmon
  • Data Source: SentinelOne
  • Data Source: Microsoft Defender for Endpoint

Version: 201

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process where host.os.type == "windows" and event.type == "start" and
 process.name : "cmd.exe" and
 (

  process.command_line : ("*).Run(*", "*GetObject*", "* curl*regsvr32*", "*echo*wscript*", "*echo*ZONE.identifier*",
  "*ActiveXObject*", "*dir /s /b *echo*", "*unescape(*",  "*findstr*TVNDRgAAAA*", "*findstr*passw*", "*start*\\\\*\\DavWWWRoot\\*",
  "* explorer*%CD%*", "*%cd%\\*.js*", "*attrib*%CD%*", "*/?cMD<*", "*/AutoIt3ExecuteScript*..*", "*&cls&cls&cls&cls&cls&*",
  "*&#*;&#*;&#*;&#*;*", "* &&s^eT*", "*& ChrW(*", "*&explorer /root*", "*start __ & __\\*", "*findstr /V /L *forfiles*",
  "*=wscri& set *", "*http*!COmpUternaME!*", "*start *.pdf * start /min cmd.exe /c *\\\\*", "*pip install*System.Net.WebClient*",
  "*Invoke-WebReques*Start-Process*", "*-command (Invoke-webrequest*", "*copy /b *\\\\* ping *-n*", "*echo*.ToCharArray*") or

  (process.args : "echo" and process.parent.name : ("wscript.exe", "mshta.exe")) or

  process.args : ("1>?:\\*.vbs", "1>?:\\*.js") or

  (process.args : "explorer.exe" and process.args : "type" and process.args : ">" and process.args : "start") or

  (process.parent.name : "explorer.exe" and
   process.command_line :
           ("*&&S^eT *",
            "*&& set *&& set *&& set *&& set *&& set *&& call*",
            "**\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??*")) or

   (process.parent.name : "explorer.exe" and process.args : "copy" and process.args : "&&" and process.args : "\\\\*@*\\*")
  ) and

  /* false positives */
  not (process.args : "%TEMP%\\Spiceworks\\*" and process.parent.name : "wmiprvse.exe") and
  not process.parent.executable :
                ("?:\\Perl64\\bin\\perl.exe",
                 "?:\\Program Files\\nodejs\\node.exe",
                 "?:\\Program Files\\HP\\RS\\pgsql\\bin\\pg_dumpall.exe",
                 "?:\\Program Files (x86)\\PRTG Network Monitor\\64 bit\\PRTG Server.exe",
                 "?:\\Program Files (x86)\\Spiceworks\\bin\\spiceworks-finder.exe",
                 "?:\\Program Files (x86)\\Zuercher Suite\\production\\leds\\leds.exe",
                 "?:\\Program Files\\Tripwire\\Agent\\Plugins\\twexec\\twexec.exe",
                 "D:\\Agents\\?\\_work\\_tasks\\*\\SonarScanner.MSBuild.exe",
                 "?:\\Program Files\\Microsoft VS Code\\Code.exe",
                 "?:\\programmiweb\\NetBeans-*\\netbeans\\bin\\netbeans64.exe",
                 "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
                 "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
                 "?:\\Program Files\\NetBeans-*\\netbeans\\bin\\netbeans*.exe",
                 "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
                 "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
                 "?:\\Program Files (x86)\\Helpdesk Button\\button_gui.exe",
                 "?:\\VTSPortable\\VTS\\jre\\bin\\javaw.exe",
                 "?:\\Program Files\\Bot Framework Composer\\Bot Framework Composer.exe",
                 "?:\\Program Files\\KMSYS Worldwide\\eQuate\\*\\SessionMgr.exe",
                 "?:\\Program Files (x86)\\Craneware\\Pricing Analyzer\\Craneware.Pricing.Shell.exe",
                 "?:\\Program Files (x86)\\jumpcloud-agent-app\\jumpcloud-agent-app.exe",
                 "?:\\Program Files\\PostgreSQL\\*\\bin\\pg_dumpall.exe",
                 "?:\\Program Files (x86)\\Vim\\vim*\\vimrun.exe") and
  not (process.args :  "?:\\Program Files\\Citrix\\Secure Access Client\\nsauto.exe" and process.parent.name : "userinit.exe") and
  not process.args :
            ("?:\\Program Files (x86)\\PCMatic\\PCPitstopScheduleService.exe",
             "?:\\Program Files (x86)\\AllesTechnologyAgent\\*",
             "https://auth.axis.com/oauth2/oauth-authorize*") and
  not process.command_line :
               ("\"cmd\" /c %NETBEANS_MAVEN_COMMAND_LINE%",
                "?:\\Windows\\system32\\cmd.exe /q /d /s /c \"npm.cmd ^\"install^\" ^\"--no-bin-links^\" ^\"--production^\"\"") and
  not (process.name : "cmd.exe" and process.args : "%TEMP%\\Spiceworks\\*" and process.args : "http*/dataloader/persist_netstat_data") and
  not (process.args == "echo" and process.args == "GEQ" and process.args == "1073741824")

Framework: MITRE ATT&CKTM