Detect Windows Command Shell in Google Chronicle
Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd.exe) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH. Batch files (.bat or .cmd) also provide the shell with a list of sequential commands to run. Adversaries may leverage cmd.exe to execute various commands and payloads, including single commands, interactive shells with C2 forwarding, and batch file execution.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.003 Windows Command Shell
- Canonical reference
- https://attack.mitre.org/techniques/T1059/003/
YARA-L Detection Query
rule t1059_003_windows_cmd_shell_abuse {
meta:
author = "Argus Detection Engineering"
description = "Detects T1059.003 Windows Command Shell abuse — suspicious cmd.exe executions using certutil, bitsadmin, schtasks, net user, wmic/vssadmin shadow deletion, bcdedit, or cmd.exe spawned from Office or script-interpreter parents."
mitre_attack_tactic = "Execution"
mitre_attack_technique = "T1059.003"
mitre_attack_url = "https://attack.mitre.org/techniques/T1059/003/"
severity = "HIGH"
confidence = "HIGH"
version = "1.0"
created = "2024-01-01"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($e.target.process.file.full_path, `(?i)\\cmd\.exe$`) or
$e.target.process.file.basename = "cmd.exe"
)
(
re.regex($e.target.process.command_line,
`(?i)(certutil\s+(-urlcache|-decode|-encode)|bitsadmin\s+(/transfer|/create)|reg\s+(add|delete|save)\s|schtasks\s+(/create|/change)|net\s+user\s+.*\s*/add|net\s+localgroup\s+administrators|wmic\s+(process\s+call\s+create|shadowcopy\s+delete)|vssadmin\s+delete\s+shadows|bcdedit\s+/set|icacls\s+/grant|takeown\s+/f|echo\s+\|\s+set\s+/p=|>\s*\\\\pipe\\)`) or
re.regex($e.principal.process.file.full_path,
`(?i)(winword|excel|powerpnt|outlook|mshta|wscript|cscript|rundll32|regsvr32)\.exe$`)
)
match:
$e.principal.hostname over 5m
outcome:
$risk_score = max(
if(re.regex($e.target.process.command_line, `(?i)certutil\s+(-urlcache|-decode)`), 30, 0) +
if(re.regex($e.target.process.command_line, `(?i)vssadmin\s+delete\s+shadows|wmic\s+shadowcopy\s+delete`), 40, 0) +
if(re.regex($e.target.process.command_line, `(?i)schtasks\s+/create`), 20, 0) +
if(re.regex($e.target.process.command_line, `(?i)net\s+user\s+.*\s*/add`), 25, 0) +
if(re.regex($e.target.process.command_line, `(?i)bcdedit\s+/set`), 35, 0) +
if(re.regex($e.principal.process.file.full_path, `(?i)(mshta|wscript|cscript|rundll32|regsvr32)\.exe$`), 40, 0) +
if(re.regex($e.principal.process.file.full_path, `(?i)(winword|excel|powerpnt|outlook)\.exe$`), 50, 0)
)
$hostname = $e.principal.hostname
$username = $e.principal.user.userid
$command_line = $e.target.process.command_line
$parent_process = $e.principal.process.file.full_path
condition:
$e and $risk_score > 0
}Chronicle YARA-L 2.0 rule detecting T1059.003 Windows Command Shell abuse using UDM process launch events. Pattern-matches cmd.exe command lines against known LOLBin abuse patterns (certutil, bitsadmin, schtasks, net user, vssadmin, bcdedit) and detects cmd.exe spawned from Office applications or script interpreters. Risk scoring weighted by severity of technique.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise certificate lifecycle management tools that invoke certutil via cmd.exe for certificate enrollment, renewal, or CRL verification on managed endpoints
- Legitimate system imaging and backup solutions using vssadmin or wmic through batch wrappers to manage snapshot lifecycles during scheduled maintenance windows
- Group Policy-based login scripts distributed via Active Directory that spawn cmd.exe from winlogon to configure user environments using reg, net, or schtasks
Other platforms for T1059.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Certutil Download Cradle
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'certutil -urlcache'. Child process event for certutil.exe. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8080.
- Test 2Shadow Copy Deletion via cmd.exe
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'vssadmin'. Note: this test uses 'list' instead of 'delete' for safety. In real attacks, 'delete shadows /all /quiet' would be used.
- Test 3Scheduled Task Creation via cmd.exe
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe spawning schtasks.exe. Security Event ID 4698: Scheduled Task Created with task name 'df00tech-test'.
- Test 4Local Account Creation via cmd.exe
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with 'net user' in CommandLine. Security Event ID 4720: User Account Created. Security Event ID 4732: Member Added to Security-Enabled Local Group.
References (6)
- https://attack.mitre.org/techniques/T1059/003/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md
- https://lolbas-project.github.io/
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://docs.microsoft.com/en-us/windows/terminal/tutorials/ssh
Unlock Pro Content
Get the full detection package for T1059.003 including response playbook, investigation guide, and atomic red team tests.