Try in Splunk Security Cloud


Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques–one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Endpoint_Processes
  • Last Updated: 2020-02-03
  • Author: Bhavin Patel, Splunk
  • ID: f4368ddf-d59f-4192-84f6-778ac5a3ffc7


The ability to execute arbitrary commands via the Windows CLI is a primary goal for the adversary. With access to the shell, an attacker can easily run scripts and interact with the target system. Often, attackers may only have limited access to the shell or may obtain access in unusual ways. In addition, malware may execute and interact with the CLI in ways that would be considered unusual and inconsistent with typical user activity. This provides defenders with opportunities to identify suspicious use and investigate, as appropriate. This Analytic Story contains various searches to help identify this suspicious activity, as well as others to aid you in deeper investigation.


Name Technique Type
Detect Prohibited Applications Spawning cmd exe Command and Scripting Interpreter Anomaly
Detect Prohibited Applications Spawning cmd exe Command and Scripting Interpreter, Windows Command Shell Hunting
Detect Use of cmd exe to Launch Script Interpreters Command and Scripting Interpreter, Windows Command Shell TTP
First time seen command line argument PowerShell, Windows Command Shell Hunting
Potentially malicious code on commandline Windows Command Shell Anomaly
System Processes Run From Unexpected Locations Masquerading, Rename System Utilities TTP
Unusually Long Command Line   Anomaly
Unusually Long Command Line - MLTK   Anomaly


source | version: 2