Detect Prohibited Applications Spawning Cmd Exe

Description

This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe.

   Help

Detect Prohibited Applications Spawning Cmd Exe Help

You must be ingesting data that records process activity from your hosts and populates the Endpoint data model with the resultant dataset. This search includes a lookup file, prohibited_apps_launching_cmd.csv, that contains a list of processes that should not be spawning cmd.exe. You can modify this lookup to better suit your environment.

   Search

Open in Search