The Windows Command Prompt (
cmd.exe) is a utility that provides a command line interface to Windows operating systems. It provides the ability to run additional programs and also has several built-in commands such as
type, as well as batch scripts (
.bat). Typically, when a user runs a command prompt, the parent process is
explorer.exe or another instance of the prompt. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process
cmd.exe from certain parents may be more indicative of malice. For example, if Adobe Reader or Outlook launches a command shell, this may suggest that a malicious document has been loaded and should be investigated. Thus, by looking for abnormal parent processes of
cmd.exe, it may be possible to detect adversaries.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Command and Scripting Interpreter||Windows Command Shell||Execution||Moderate|
Data Model References
process = search Process:Create cmd = filter process where (exe == "cmd.exe") output cmd
Dnif, Sysmon native
DNIF version of the above pseudocode.
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*cmd\.exe.*)i limit 100
Logpoint, LogPoint native
LogPoint version of the above pseudocode.
norm_id=WindowsSysmon event_id=1 image="*\cmd.exe"
Test Case 1
Configurations: Windows 7
Within a command prompt or powershell, run cmd.exe