Detect Prohibited Applications Spawning cmd.exe

Description

This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Execution

MITRE ATT&CK Techniques

Command and Scripting Interpreter

MITRE Threat Groups

APT19
APT32
APT39
Dragonfly 2.0
FIN5
FIN6
FIN7
Ke3chang
Molerats
OilRig
Stealth Falcon
Whitefly

Kill Chain Phases

Exploitation

Data Sources

Endpoint Detection and Response

   Help

Detect Prohibited Applications Spawning cmd.exe Help

Obtaining access to the Command-Line Interface (CLI) is typically a primary attacker goal. Once an attacker has obtained the ability to execute code on a target system, they will often further manipulate the system via commands passed to the CLI. It is also unusual for many applications to spawn a command shell during normal operation, while it is often observed if an application has been compromised in some way. As such, it is often beneficial to look for cmd.exe being executed by processes that are often targeted for exploitation, or that would not spawn cmd.exe in any other circumstances. A lookup file is provided to easily modify the processes that are being watched for execution of cmd.exe.