Skip to content
Threat Feed
high advisory

Suspicious Windows Command Shell Arguments

This rule identifies suspicious uses of the Windows Command Shell (cmd.exe) with unusual command-line arguments often associated with malware installation, script execution, or system manipulation.

This detection rule identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values, a behavior frequently observed during malware installation or malicious script execution. The rule specifically targets cmd.exe processes with command-line arguments containing suspicious patterns and keywords like "curl", "regsvr32", "wscript", or "Invoke-WebRequest", which are commonly used by attackers to download payloads or execute malicious commands. The rule further examines the parent process of cmd.exe, flagging instances where cmd.exe is spawned by unusual parent processes such as explorer.exe. This approach helps to identify potentially malicious command executions while minimizing false positives from legitimate software.

Attack Chain

  1. User inadvertently executes a malicious file or clicks a link, leading to the execution of explorer.exe.
  2. Explorer.exe spawns a cmd.exe process with obfuscated or suspicious arguments, like encoded commands or commands involving "curl" or "regsvr32".
  3. The cmd.exe process downloads a malicious payload from a remote server using curl or Invoke-WebRequest.
  4. The payload is saved to disk, often in a hidden or temporary directory.
  5. Cmd.exe uses regsvr32 to execute the downloaded payload, bypassing application control.
  6. The malicious code establishes persistence by creating a scheduled task or modifying the registry.
  7. The attacker gains remote access and control over the compromised system.

Impact

A successful attack leveraging suspicious command shell arguments can lead to the installation of malware, unauthorized access to sensitive data, and complete compromise of the affected system. This could potentially affect any Windows endpoint within an organization. The attacker could then use the compromised system as a launchpad for further attacks on other systems within the network.

Recommendation

  • Enable Sysmon process creation logging to capture command-line arguments for cmd.exe (Data Source: Sysmon).
  • Deploy the Sigma rule "Detect Suspicious Cmd Arguments" to your SIEM and tune the false positive exceptions for your environment.
  • Investigate any alerts generated by the deployed Sigma rule, focusing on the parent processes and command-line arguments of cmd.exe executions.

Detection coverage 2

Detect Suspicious Cmd Arguments

high

Detects cmd.exe execution with suspicious arguments often used for malware installation or script execution.

sigma tactics: execution techniques: T1059.003 sources: process_creation, windows

Detect Cmd with explorer.exe parent and Copy to UNC path

medium

Detects cmd.exe spawned by explorer.exe copying files to a UNC path, a common technique for lateral movement.

sigma tactics: execution techniques: T1059.003 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →