Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
33 lines (20 sloc) 1.74 KB

Identify Suspicious Command Shells

Purpose: To identify instances of running command shells which may indicate threat actor activity.

Data Required: Process execution data (Sysmon, Carbon Black, etc)

Collection Considerations: Collect from all systems in the domain

Analysis Techniques: Baselining, stack counting

Description

Look for instances of cmd.exe or powershell.exe where any of the following are true:

  • The parent process does not normally spawn a command shell (e.g., word.exe)
  • The command shell executed reg.exe or other command not normally used by end-users
  • The command shell was launched by a running service or by winlogon.exe
  • The command shell was started by WinRM ("wsmprovhost.exe" started by "svchost.exe" may indicate remote PowerShell execution)

Other Notes

The same techniques may be useful when applied to more than just command shell binaries. For example, you might want to search for any instance of a service launching wmic.exe.

More Info