[rule] description = """ Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior is often observed during malware installation. """ id = "8dd7588d-fc28-40c0-adfb-14789c763984" license = "Elastic License v2" name = "Suspicious Windows Command Shell Execution" os_list = ["windows"] version = "1.0.46" query = ''' process where event.action == "start" and (process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and not user.id : "S-1-5-18" and process.parent.executable != null and ( process.command_line : ("*).Run(*", "*GetObject*", "* curl*regsvr32*", "*echo*wscript*", "*echo*ZONE.identifier*", "*ActiveXObject*", "*dir /s /b *echo*", "*unescape(*", "*findstr*TVNDRgAAAA*", "*findstr*passw*", "*start*\\\\*\\DavWWWRoot\\*", "* explorer*%CD%*", "*%cd%\\*.js*", "*attrib*%CD%*", "*/?cMD<*", "*/AutoIt3ExecuteScript*..*", "*&cls&cls&cls&cls&cls&*", "*&#*;&#*;&#*;&#*;*", "* &&s^eT*", "*& ChrW(*", "*&explorer /root*", "*start __ & __\\*", "*findstr /V /L *forfiles*", "*=wscri& set *", "*http*!COmpUternaME!*", "*start *.pdf * start /min cmd.exe /c *\\\\*", "*pip install*System.Net.WebClient*", "*Invoke-WebReques*Start-Process*", "*-command (Invoke-webrequest*", "*copy /b *\\\\* ping *-n*", "*echo*.ToCharArray*", "*curl --ntlm -u*", "*bat'; iwr $*", "*http*.Content;*", "*&(gcm i?x)*", "*!*!*!*!*!*!*", "*&& !*!!*", "*for %? in (?) do @set*", "*QUIT>>?&FTP/s:*", "*iwr -Uri*Start-Process*", "*irm https*| iex*", "*^S^T^a*", "*javascript:alert*", "* /v /c *&&set *&&set *&&set *&&set *&&set*", "*net use *@ssl*rundll32*", "*echo F | xcopy*/h /y &&*", "* if /i \"%cd%\"==\"C:\\Windows\\System32\" ( echo *", "* if /i \"%cd%\"==\"C:\\Windows\\System32\" ( msg*", "* if /i \"%cd%\"==\"C:\\Windows\\System32\" (mshta *", "*/c*start*.doc&exit*", "*/k*start msedge*http*&*", "*)) | Invoke-Expression\"", "*/c *.bat&*.pdf*", "*/c *.bat&*.mp4*") or (process.args_count == 3 and process.args : "%*%" and process.args:"/c") or (process.args : "echo" and process.parent.name : ("wscript.exe", "mshta.exe")) or process.args : ("1>?:\\*.vbs", "1>?:\\*.js") or (process.args : "explorer.exe" and process.args : "type" and process.args : ">" and process.args : "start") or (process.parent.name : ("explorer.exe", "python.exe") and process.command_line : ("*&&S^eT *", "*&& set *&& set *&& set *&& set *&& set *&& call*", "**\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??*", "*sTArT /MiN *POWeRsheLl -WiNdowStYlE hIddeN*", "*cURL -O *HtTP*.bat*")) or (process.parent.name : ("explorer.exe", "python.exe") and process.args : "copy" and process.args : "&&" and process.args : "\\\\*@*\\*") ) and /* false positives */ not (process.args : "%TEMP%\\Spiceworks\\*" and process.parent.name : "wmiprvse.exe") and not process.parent.executable : ("?:\\Perl64\\bin\\perl.exe", "?:\\Program Files\\nodejs\\node.exe", "E:\\eGov\\eGovXtract.exe", "?:\\Program Files\\HP\\RS\\pgsql\\bin\\pg_dumpall.exe", "?:\\Program Files (x86)\\PRTG Network Monitor\\64 bit\\PRTG Server.exe", "?:\\Program Files (x86)\\Spiceworks\\bin\\spiceworks-finder.exe", "?:\\Program Files (x86)\\Zuercher Suite\\production\\leds\\leds.exe", "?:\\Program Files\\Tripwire\\Agent\\Plugins\\twexec\\twexec.exe", "D:\\Agents\\?\\_work\\_tasks\\*\\SonarScanner.MSBuild.exe", "?:\\reps\\inventory\\.nodejs\\node\\node.exe", "?:\\Program Files\\Microsoft VS Code\\Code.exe", "?:\\Users\\*\\node.exe", "?:\\nodejs\\node.exe", "?:\\*\\.nodejs\\node\\node.exe", "C:\\xampp\\php\\php.exe", "C:\\officelauncher\\OfficeInstaller.exe", "D:\\PROGRAMS\\Siebel\\siebsrvr\\BIN\\siebmtshmw.exe", "C:\\Program Files (x86)\\NetDocuments\\ndOffice\\ndOffice.exe", "C:\\Program Files\\Waves Central\\Waves Central.exe", "C:\\Users\\*\\AppData\\Local\\MyASUS Update Messenger\\UpdateMessenger.exe", "C:\\Program Files\\Microsoft SQL Server\\MSSQL??.MSSQLSERVER\\MSSQL\\Binn\\sqlservr.exe", "?:\\programmiweb\\NetBeans-*\\netbeans\\bin\\netbeans64.exe", "?:\\Users\\*\\AppData\\Local\\Zuercher Suite\\production\\leds\\leds.exe", "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe", "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe", "?:\\Program Files\\NetBeans-*\\netbeans\\bin\\netbeans*.exe", "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe", "C:\\Program Files (x86)\\Microsoft Visual Studio\\20??\\Enterprise\\Common?\\IDE\\devenv.exe", "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe", "?:\\Program Files (x86)\\Helpdesk Button\\button_gui.exe", "?:\\VTSPortable\\VTS\\jre\\bin\\javaw.exe", "?:\\Program Files\\Bot Framework Composer\\Bot Framework Composer.exe", "?:\\Users\\*\\AppData\\Local\\Programs\\*electron\\AXIS Device Manager Extend.exe", "?:\\Users\\*\\AppData\\Local\\Programs\\Arduino IDE\\Arduino IDE.exe", "?:\\Program Files\\KMSYS Worldwide\\eQuate\\*\\SessionMgr.exe", "?:\\Program Files (x86)\\Craneware\\Pricing Analyzer\\Craneware.Pricing.Shell.exe", "?:\\sonarqube\\MSBuild\\SonarScanner.MSBuild.exe", "?:\\Program Files (x86)\\jumpcloud-agent-app\\jumpcloud-agent-app.exe", "?:\\Program Files\\PostgreSQL\\*\\bin\\pg_dumpall.exe", "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe", "C:\\Program Files\\Microsoft Visual Studio\\*\\Common?\\IDE\\devenv.exe", "?:\\Program Files (x86)\\Vim\\vim*\\vimrun.exe", "C:\\Program Files\\Microsoft Visual Studio\\*\\DtsDebugHost.exe") and not (process.args : "console|findstr" and process.parent.name : "cmd.exe") and not process.working_directory : "?:\\Program Files (x86)\\Spiceworks\\" and not (process.parent.name : "wscript.exe" and process.parent.args : ("D:\\intersystems\\hsfoundation\\databases\\data\\ELSAInfoServer.vbs", "\\\\*")) and not (process.parent.name : ("pwsh.exe", "powershell.exe") and process.args : "start" and process.args : "https://login.microsoftonline.com/*") and not (process.args : "?:\\Program Files\\Citrix\\Secure Access Client\\nsauto.exe" and process.parent.name : "userinit.exe") and not process.args : ("?:\\Program Files (x86)\\PCMatic\\PCPitstopScheduleService.exe", "?:\\Program Files (x86)\\AllesTechnologyAgent\\*", "https://auth.axis.com/oauth2/oauth-authorize*", "D:\\GitHub\\lilitech-cloud-app\\node_modules\\.bin\\*", "C:\\ProgramData\\santesocial\\commun\\adm\\produits", "*--flat-playlist^*--no-cache-dir^*", "/DIR=C:\\Program Files (x86)\\Zeiss\\Zeiss PDF Printer", "*plugins\\org.eclipse.birt.doc_*") and not process.command_line : ("\"cmd\" /c %NETBEANS_MAVEN_COMMAND_LINE%", "?:\\Windows\\system32\\cmd.exe /q /d /s /c \"npm.cmd ^\"install^\" ^\"--no-bin-links^\" ^\"--production^\"\"") and not (process.name : "cmd.exe" and process.args : "%TEMP%\\Spiceworks\\*" and process.args : "http*/dataloader/persist_netstat_data") and not process.parent.command_line : "cmd /q /k prompt MAM:Remote$G" and not process.parent.args like "C:\\WINDOWS\\Runtime\\utility\\wrapper.vbs" and not (process.args : "C:\\Windows\\TEMP\\nessus_*.TMP" and process.parent.name : "WmiPrvSE.exe") and not (process.parent.name : "WmiPrvSe.exe" and process.args : "& {$j = sajb {$ErrorActionPreference = 'SilentlyContinue';$ErrorActionPreference = 'SilentlyContinue';$jars = $(Get-ChildItem -Path 'C:\\*' -Recurse -Include '*.jar','*.war','*.ear'*") and not (process.parent.name : "wscript.exe" and process.parent.args : ("C:\\IBM\\ITM\\TMAITM6_x64\\K06_uninstall.vbs", "C:\\Windows\\System32\\gatherNetworkInfo.vbs")) and not (process.args == "echo" and process.args == "GEQ" and process.args == "1073741824") and not (process.parent.name : "wscript.exe" and process.parent.args : "C:\\Program Files (x86)\\CaseWare\\Template\\FinancialsIFRS\\Packager\\After\\0\\FinancialsIFRSCreateShortcuts.js") and not (process.name : "cmd.exe" and process.parent.name : ("javaw.exe", "udt.exe") and process.command_line : ("cmd /C %JENV_0%", "/c echo %MENU_SYSTEM%", "/c echo %NJSEXIT7%", "%OPENER% %f%")) and not (process.parent.executable : "C:\\Users\\*\\AppData\\Local\\Temp\\is-*.tmp\\RublonForWindows-?.?.?.tmp" and process.command_line : "*https://core.rublon.net/api/app/init*") and not process.command_line : ("cmd /c echo AMD64", "cmd /c echo x86") ''' min_endpoint_version = "7.15.0" optional_actions = [] [[actions]] action = "kill_process" field = "process.entity_id" state = 0 [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [[threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" [threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [internal] min_endpoint_version = "7.15.0"