detection.wiki

Command and Scripting Interpreter: Windows Command Shell T1059.003

Tactic: Execution

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.

Events covered

27 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 7Image loaded
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
SysmonEvent ID 22DNSEvent (DNS query)
Security-AuditingEvent ID 4625An account failed to log on.
Security-AuditingEvent ID 4656A handle to an object was requested.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4698A scheduled task was created.
Security-AuditingEvent ID 4799A security-enabled local group membership was enumerated.
Security-AuditingEvent ID 5140A network share object was accessed.
Security-AuditingEvent ID 5156The Windows Filtering Platform has permitted a connection.
Defender-DeviceProcessEventsanyProcess activity (any)
ESFexecProcess Execution (Notify)
AppLockerEvent ID 8004FilePathBuffer was prevented from running.
AppLockerEvent ID 8007FilePathBuffer was prevented from running.
AppLockerEvent ID 8022PackageBuffer was prevented from running.
AppLockerEvent ID 8025PackageBuffer was prevented from running.
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
ScreenConnectEvent ID 200Executed command of length.
ScreenConnectEvent ID 201Transferred files with action 'Transfer'.
Sysmon-for-LinuxEvent ID 1Process Create
Sysmon-for-LinuxEvent ID 11File created

Authoring guide

Patterns shared across the 148 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (72 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine72contains 38, regex_match 21, match 6, is_not_null 5, in 4, ends_with 3, wildcard 3, eq 2, starts_with 1(?i)((tracert)|(query)|(net\s+((localgroup)|(group)|(conf..., (?i)\w+\.(bat|ps1|sh), (?i)cmd(\.exe(\"?))?\s+\/c\s+, (?i)powershell\.exe\s+-version\s+[123456], /c
process_name64eq 44, regex_match 8, in 7, match 3, wildcard 3, contains 2, ne 2, starts_with 1cmd.exe, powershell.exe, certutil.exe, cscript.exe, powershell_ise.exe
parent_process_name47eq 31, regex_match 8, in 4, contains 1, ends_with 1, match 1, wildcard 1cmd.exe, mshta.exe, explorer.exe, (?i)(powershell\.exe), node.exe
Image40ends_with 33, wildcard 4, starts_with 3\cmd.exe, \bitsadmin.exe, \certutil.exe, \powershell.exe, \rundll32.exe
EventID39eq 394688, 1, 4104, 4103, 11
event.type38eq 38start, change
OriginalFileName25eq 21, in 5cmd.exe, powershell.exe, powershell_ise.exe, cscript.exe, advancedrun.exe
ParentImage18ends_with 14, contains 2, eq 1, wildcard 1\cmd.exe, /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root, /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work, ?:\program files (x86)\teamcity\jre\bin\java.exe, ?:\program files\teamcity\jre\bin\java.exe
ParentCommandLine16contains 9, wildcard 3, ends_with 2, is_not_null 2, eq 1, in 1, match 1.bat, /c, server.js, *--experimental-https*, *--experimental-next-config-strip-types*
process.args16eq 11, wildcard 6, starts_with 3, contains 1, ends_with 1, is_not_null 1/c, &&, */bin/*sh*, *Reflection.Assembly*, *downloadstring*
Type15eq 15
EventType6eq 4, in 2start, exec, ProcessRollup2, creation, exec_event
CurrentDirectory5contains 3, starts_with 1, wildcard 1*\sap.com*\servlet_jsp\irj\*, .next, .pnpm/next, /*/sap.com*/servlet_jsp/irj/*, /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root
process.parent.args5eq 4, wildcard 2-*l*, -*p*, --message-loop-type-ui, --service-sandbox-type=none, -Embedding
event.category4eq 4process, library

Top indicator values (1071 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
38606
process_nameeq
cmd.exe
3577
process_nameeq
powershell.exe
27104
process_nameeq
pwsh.exe
1662
process_nameeq
rundll32.exe
1460
process_nameeq
mshta.exe
1331
process_nameeq
wscript.exe
1329
process_nameeq
cscript.exe
1225
process_nameeq
certutil.exe
922
process_nameeq
powershell_ise.exe
950
process_nameeq
regsvr32.exe
825
process_nameeq
msiexec.exe
722
process_nameeq
wmic.exe
747
process_nameeq
bitsadmin.exe
614
process_nameeq
curl.exe
615
process_nameeq
installutil.exe
618
process_nameeq
schtasks.exe
621
process_nameeq
regasm.exe
511
process_nameeq
regsvcs.exe
510
process_nameeq
sc.exe
529
Imageends_with
\cmd.exe
19130
Imageends_with
\powershell.exe
8182
Imageends_with
\pwsh.exe
7168
Imageends_with
\rundll32.exe
595
EventIDeq
4688
15313
EventIDeq
1
11237
EventIDeq
4104
7268
OriginalFileNameeq
cmd.exe
1265
parent_process_nameeq
cmd.exe
515
parent_process_nameeq
explorer.exe
520

Exclusions (266 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
process_nameeq
cmd.exe
8
process_nameeq
powershell.exe
4
process_nameeq
rundll32.exe
3
process_nameeq
regsvr32.exe
2
user.ideq
S-1-5-18
4
process.argseq
-ExecutionPolicy
2
process.argseq
dir
2
CommandLinecontains
-format
1
CommandLinecontains
.\\install\\awk.exe
1
CommandLinecontains
\.nuget\packages\vswhere\
1
CommandLinecontains
\appdata\local\temp\
1
CommandLinecontains
\tasktop\keycloak\bin\/../../jre\bin\java
1
CommandLinecontains
common\..\..\buildtools\
1
CommandLinecontains
git log --pretty=format
1
CommandLinecontains
rwblahqalqbeageadabl
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 48 rules

Elastic 42 rules

Splunk 55 rules

Kusto 3 rules