-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2013-02-003.yaml
43 lines (43 loc) · 2.02 KB
/
CAR-2013-02-003.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
title: Processes Spawning cmd.exe
submission_date: 2013/02/05
information_domain: Host
platforms:
- Windows
subtypes:
- Process
analytic_types:
- Situational Awareness
contributors:
- MITRE
id: CAR-2013-02-003
description: 'The Windows [Command Prompt](https://en.wikipedia.org/wiki/cmd.exe) (`cmd.exe`) is a utility that provides a command line interface to Windows operating systems. It provides the ability to run additional programs and also has several built-in commands such as `dir`, `copy`, `mkdir`, and `type`, as well as batch scripts (`.bat`). Typically, when a user runs a command prompt, the parent process is `explorer.exe` or another instance of the prompt. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process `cmd.exe` from certain parents may be more indicative of malice. For example, if Adobe Reader or Outlook launches a command shell, this may suggest that a malicious document has been loaded and should be investigated. Thus, by looking for abnormal parent processes of `cmd.exe`, it may be possible to detect adversaries.'
coverage:
- technique: T1059
tactics:
- TA0002
subtechniques:
- T1059.003
coverage: Moderate
implementations:
- code: |-
process = search Process:Create
cmd = filter process where (exe == "cmd.exe")
output cmd
type: pseudocode
- description: DNIF version of the above pseudocode.
code: |-
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*cmd\.exe.*)i limit 100
type: DNIF
data_model: Sysmon native
- description: LogPoint version of the above pseudocode.
code: |-
norm_id=WindowsSysmon event_id=1 image="*\cmd.exe"
type: LogPoint
data_model: LogPoint native
data_model_references:
- process/create/exe
- process/create/parent_exe
unit_tests:
- configurations:
- Windows 7
description: 'Within a command prompt or powershell, run cmd.exe'