Detect Prohibited Applications Spawning cmd.exe
This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe.
This content is not mapped to any local saved search. Add mapping
Detect Prohibited Applications Spawning cmd.exe Help
Obtaining access to the Command-Line Interface (CLI) is typically a primary attacker goal. Once an attacker has obtained the ability to execute code on a target system, they will often further manipulate the system via commands passed to the CLI. It is also unusual for many applications to spawn a command shell during normal operation, while it is often observed if an application has been compromised in some way. As such, it is often beneficial to look for cmd.exe being executed by processes that are often targeted for exploitation, or that would not spawn cmd.exe in any other circumstances. A lookup file is provided to easily modify the processes that are being watched for execution of cmd.exe.