Analytics Story: Suspicious Command-Line Executions

Description

Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.

Why it matters

The ability to execute arbitrary commands via the Windows CLI is a primary goal for the adversary. With access to the shell, an attacker can easily run scripts and interact with the target system. Often, attackers may only have limited access to the shell or may obtain access in unusual ways. In addition, malware may execute and interact with the CLI in ways that would be considered unusual and inconsistent with typical user activity. This provides defenders with opportunities to identify suspicious use and investigate, as appropriate. This Analytic Story contains various searches to help identify this suspicious activity, as well as others to aid you in deeper investigation.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
First time seen command line argument PowerShell, Windows Command Shell Hunting
Detect Prohibited Applications Spawning cmd exe Command and Scripting Interpreter, Windows Command Shell Hunting
Detect suspicious processnames using pretrained model in DSDL Command and Scripting Interpreter Anomaly
Detect Use of cmd exe to Launch Script Interpreters Command and Scripting Interpreter, Windows Command Shell TTP
Potentially malicious code on commandline Windows Command Shell Anomaly
System Processes Run From Unexpected Locations Masquerading, Rename System Utilities Anomaly
Unusually Long Command Line None Anomaly
Unusually Long Command Line - MLTK None Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 2