suspicious_command_shells.md

Identify Suspicious Command Shells

Purpose: To identify instances of running command shells which may indicate threat actor activity.

Data Required: Process execution data (Sysmon, Carbon Black, etc)

Collection Considerations: Collect from all systems in the domain

Analysis Techniques: Baselining, stack counting

Description

Look for instances of cmd.exe or powershell.exe where any of the following are true:

• The parent process does not normally spawn a command shell (e.g., word.exe)
• The command shell executed reg.exe or other command not normally used by end-users
• The command shell was launched by a running service or by winlogon.exe
• The command shell was started by WinRM ("wsmprovhost.exe" started by "svchost.exe" may indicate remote PowerShell execution)

Other Notes

The same techniques may be useful when applied to more than just command shell binaries. For example, you might want to search for any instance of a service launching wmic.exe.

More Info

• CAR-2013-02-003: Processes Spawning cmd.exe, MITRE Cyber Analytic Repository
• CAR-2013-03-001: Reg.exe called from Command Shell, MITRE Cyber Analytic Repository
• CAR-2014-05-002: Services launching Cmd.exe, MITRE Cyber Analytic Repository
• CAR-204-11-002: Outlier Parents of Cmd, MITRE Cyber Analytic Repository
• CAR-2014-11-004: Remote PowerShell Sessions, MITRE Cyber Analytic Repository
• CAR-2014-11-008: Command Launched from WinLogon, MITRE Cyber Analytic Repository