The Windows Command Prompt (cmd.exe) is a utility that provides a command line interface to Windows operating systems. It provides the ability to run additional programs and also has several built-in commands such as dir, copy, mkdir, and type, as well as batch scripts (.bat). Typically, when a user runs a command prompt, the parent process is explorer.exe or another instance of the prompt. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process cmd.exe from certain parents may be more indicative of malice. For example, if Adobe Reader or Outlook launches a command shell, this may suggest that a malicious document has been loaded and should be investigated. Thus, by looking for abnormal parent processes of cmd.exe, it may be possible to detect adversaries.

ATT&CK Detection

Technique Tactic Level of Coverage
Command-Line Interface Execution Moderate

Pseudocode

process = search Process:Create
cmd = filter process where (exe == "cmd.exe")
output cmd

Unit Tests

Test Case 1:

  • Configurations: Windows 7
  • Description: Within a command prompt or powershell, run cmd.exe

Data Model References

Object Action Field
process create exe
process create parent_exe