The Windows Command Prompt (cmd.exe) is a utility that provides a command line interface to Windows operating systems. It provides the ability to run additional programs and also has several built-in commands such as dir, copy, mkdir, and type, as well as batch scripts (.bat). Typically, when a user runs a command prompt, the parent process is explorer.exe or another instance of the prompt. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process cmd.exe from certain parents may be more indicative of malice. For example, if Adobe Reader or Outlook launches a command shell, this may suggest that a malicious document has been loaded and should be investigated. Thus, by looking for abnormal parent processes of cmd.exe, it may be possible to detect adversaries.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Command and Scripting Interpreter Windows Command Shell Execution Moderate

D3FEND Techniques

ID Name
D3-PLA Process Lineage Analysis

Data Model References

Object Action Field
process create exe
process create parent_exe

Implementations

Pseudocode

process = search Process:Create
cmd = filter process where (exe == "cmd.exe")
output cmd

Dnif, Sysmon native

DNIF version of the above pseudocode.

_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*cmd\.exe.*)i limit 100

Logpoint, LogPoint native

LogPoint version of the above pseudocode.

norm_id=WindowsSysmon event_id=1 image="*\cmd.exe"

Unit Tests

Test Case 1

Configurations: Windows 7

Within a command prompt or powershell, run cmd.exe