Cmdline Tool Not Executed In Cmd Shell

Cmdline Tool Not Executed In Cmd Shell

Description

This search is to detect a suspicious parent process execution of commandline tool not in shell commandline. This technique was seen in FIN7 JSSLoader .net compile payload where it run ipconfig.exe and systeminfo.exe using .net application. This event cause some good TTP since those tool are commonly run in commandline not by another application. This TTP is a good indicator for application gather host information either an attacker or an automated tool made by admin.

   Help

Cmdline Tool Not Executed In Cmd Shell Help

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

   Search

Open in Search