Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
32 lines (20 sloc) 1.74 KB

Identify Suspicious Command Shells

Purpose: To identify instances of running command shells which may indicate threat actor activity.

Data Required: Process execution data (Sysmon, Carbon Black, etc)

Collection Considerations: Collect from all systems in the domain

Analysis Techniques: Baselining, stack counting


Look for instances of cmd.exe or powershell.exe where any of the following are true:

  • The parent process does not normally spawn a command shell (e.g., word.exe)
  • The command shell executed reg.exe or other command not normally used by end-users
  • The command shell was launched by a running service or by winlogon.exe
  • The command shell was started by WinRM ("wsmprovhost.exe" started by "svchost.exe" may indicate remote PowerShell execution)

Other Notes

The same techniques may be useful when applied to more than just command shell binaries. For example, you might want to search for any instance of a service launching wmic.exe.

More Info