Command Prompt Network Connection Activity
Detection of command prompt activity initiating network connections can indicate suspicious or malicious behavior, potentially leading to command and control or data exfiltration.
Adversaries often leverage the command prompt (cmd.exe) to execute commands, download payloads, and establish network connections. This activity can be part of a larger attack campaign involving malware deployment, reconnaissance, or data exfiltration. Detecting network connections initiated by cmd.exe can provide valuable insights into potentially malicious actions, especially when combined with other suspicious indicators. This type of activity is not inherently malicious but warrants closer inspection when observed in conjunction with other anomalies.
Attack Chain
- Initial Access: An attacker gains initial access through various means (e.g., compromised credentials, software vulnerability).
- Command Execution: The attacker executes cmd.exe to perform subsequent actions on the system.
- Network Connection: cmd.exe initiates a network connection using tools like
ping,nslookup, orpowershell(via cmd.exe) to resolve domain names or communicate with external servers. - Data Exfiltration: The attacker uses cmd.exe in conjunction with other tools (e.g.,
curl,bitsadmin,certutil) to download or upload data to a remote server. - Command & Control: cmd.exe is used to execute commands received from a command and control (C2) server, allowing the attacker to remotely control the compromised system.
- Lateral Movement: The attacker leverages cmd.exe to perform actions on other systems within the network, such as copying files or executing commands remotely via
PsExec. - Persistence: The attacker establishes persistence by creating scheduled tasks or modifying registry keys using cmd.exe.
Impact
Successful exploitation can lead to data theft, system compromise, and further propagation of malware throughout the network. Attackers can use the compromised system as a foothold to access sensitive information, disrupt business operations, or launch attacks against other targets. While the single network connection from cmd.exe may not be particularly damaging in isolation, repeated use or connections to known bad IPs can be.
Detection coverage 2
Detect Command Prompt Making Outbound Connections
mediumDetects command prompt making outbound connections, which may indicate command and control activity.
Detect Suspicious DNS Queries from cmd.exe
mediumDetects DNS queries initiated by cmd.exe that resolve unusual or malicious domains.
Detection queries are available on the platform. Get full rules →