Identify Suspicious Command Shells

Purpose: To identify instances of running command shells which may indicate threat actor activity.

Data Required: Process execution data (Sysmon, Carbon Black, etc)

Collection Considerations: Collect from all systems in the domain

Analysis Techniques: Baselining, stack counting

Description

Look for instances of cmd.exe or powershell.exe where any of the following are true:

The parent process does not normally spawn a command shell (e.g., word.exe)
The command shell executed reg.exe or other command not normally used by end-users
The command shell was launched by a running service or by winlogon.exe
The command shell was started by WinRM ("wsmprovhost.exe" started by "svchost.exe" may indicate remote PowerShell execution)

Other Notes

The same techniques may be useful when applied to more than just command shell binaries. For example, you might want to search for any instance of a service launching wmic.exe.

More Info

CAR-2013-02-003: Processes Spawning cmd.exe, MITRE Cyber Analytic Repository
CAR-2013-03-001: Reg.exe called from Command Shell, MITRE Cyber Analytic Repository
CAR-2014-05-002: Services launching Cmd.exe, MITRE Cyber Analytic Repository
CAR-204-11-002: Outlier Parents of Cmd, MITRE Cyber Analytic Repository
CAR-2014-11-004: Remote PowerShell Sessions, MITRE Cyber Analytic Repository
CAR-2014-11-008: Command Launched from WinLogon, MITRE Cyber Analytic Repository

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!