[metadata] creation_date = "2024/09/06" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" updated_date = "2024/09/16" [rule] author = ["Elastic"] description = """ Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior is often observed during malware installation. """ from = "now-9m" index = [ "winlogbeat-*", "logs-windows.*", "logs-system.security*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*" ] language = "eql" license = "Elastic License v2" name = "Suspicious Windows Command Shell Arguments" risk_score = 73 rule_id = "d9ffc3d6-9de9-4b29-9395-5757d0695ecf" severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: System", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and process.name : "cmd.exe" and ( process.command_line : ("*).Run(*", "*GetObject*", "* curl*regsvr32*", "*echo*wscript*", "*echo*ZONE.identifier*", "*ActiveXObject*", "*dir /s /b *echo*", "*unescape(*", "*findstr*TVNDRgAAAA*", "*findstr*passw*", "*start*\\\\*\\DavWWWRoot\\*", "* explorer*%CD%*", "*%cd%\\*.js*", "*attrib*%CD%*", "*/?cMD<*", "*/AutoIt3ExecuteScript*..*", "*&cls&cls&cls&cls&cls&*", "*&#*;&#*;&#*;&#*;*", "* &&s^eT*", "*& ChrW(*", "*&explorer /root*", "*start __ & __\\*", "*findstr /V /L *forfiles*", "*=wscri& set *", "*http*!COmpUternaME!*", "*start *.pdf * start /min cmd.exe /c *\\\\*", "*pip install*System.Net.WebClient*", "*Invoke-WebReques*Start-Process*", "*-command (Invoke-webrequest*", "*copy /b *\\\\* ping *-n*", "*echo*.ToCharArray*") or (process.args : "echo" and process.parent.name : ("wscript.exe", "mshta.exe")) or process.args : ("1>?:\\*.vbs", "1>?:\\*.js") or (process.args : "explorer.exe" and process.args : "type" and process.args : ">" and process.args : "start") or (process.parent.name : "explorer.exe" and process.command_line : ("*&&S^eT *", "*&& set *&& set *&& set *&& set *&& set *&& call*", "**\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??*")) or (process.parent.name : "explorer.exe" and process.args : "copy" and process.args : "&&" and process.args : "\\\\*@*\\*") ) and /* false positives */ not (process.args : "%TEMP%\\Spiceworks\\*" and process.parent.name : "wmiprvse.exe") and not process.parent.executable : ("?:\\Perl64\\bin\\perl.exe", "?:\\Program Files\\nodejs\\node.exe", "?:\\Program Files\\HP\\RS\\pgsql\\bin\\pg_dumpall.exe", "?:\\Program Files (x86)\\PRTG Network Monitor\\64 bit\\PRTG Server.exe", "?:\\Program Files (x86)\\Spiceworks\\bin\\spiceworks-finder.exe", "?:\\Program Files (x86)\\Zuercher Suite\\production\\leds\\leds.exe", "?:\\Program Files\\Tripwire\\Agent\\Plugins\\twexec\\twexec.exe", "D:\\Agents\\?\\_work\\_tasks\\*\\SonarScanner.MSBuild.exe", "?:\\Program Files\\Microsoft VS Code\\Code.exe", "?:\\programmiweb\\NetBeans-*\\netbeans\\bin\\netbeans64.exe", "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe", "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe", "?:\\Program Files\\NetBeans-*\\netbeans\\bin\\netbeans*.exe", "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe", "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe", "?:\\Program Files (x86)\\Helpdesk Button\\button_gui.exe", "?:\\VTSPortable\\VTS\\jre\\bin\\javaw.exe", "?:\\Program Files\\Bot Framework Composer\\Bot Framework Composer.exe", "?:\\Program Files\\KMSYS Worldwide\\eQuate\\*\\SessionMgr.exe", "?:\\Program Files (x86)\\Craneware\\Pricing Analyzer\\Craneware.Pricing.Shell.exe", "?:\\Program Files (x86)\\jumpcloud-agent-app\\jumpcloud-agent-app.exe", "?:\\Program Files\\PostgreSQL\\*\\bin\\pg_dumpall.exe", "?:\\Program Files (x86)\\Vim\\vim*\\vimrun.exe") and not (process.args : "?:\\Program Files\\Citrix\\Secure Access Client\\nsauto.exe" and process.parent.name : "userinit.exe") and not process.args : ("?:\\Program Files (x86)\\PCMatic\\PCPitstopScheduleService.exe", "?:\\Program Files (x86)\\AllesTechnologyAgent\\*", "https://auth.axis.com/oauth2/oauth-authorize*") and not process.command_line : ("\"cmd\" /c %NETBEANS_MAVEN_COMMAND_LINE%", "?:\\Windows\\system32\\cmd.exe /q /d /s /c \"npm.cmd ^\"install^\" ^\"--no-bin-links^\" ^\"--production^\"\"") and not (process.name : "cmd.exe" and process.args : "%TEMP%\\Spiceworks\\*" and process.args : "http*/dataloader/persist_netstat_data") and not (process.args == "echo" and process.args == "GEQ" and process.args == "1073741824") ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/"