detection.wiki

Detection rules › Sigma

Cmd.EXE Missing Space Characters Execution Anomaly

Severity
high
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer).

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: 1 of selection1

or:
CommandLine|contains: '"cmd/c'
CommandLine|contains: '"cmd/k'
CommandLine|contains: '"cmd/r'
CommandLine|contains: '\cmd/c'
CommandLine|contains: '\cmd/k'
CommandLine|contains: '\cmd/r'
CommandLine|contains: 'cmd.exe/c'
CommandLine|contains: 'cmd.exe/k'
CommandLine|contains: 'cmd.exe/r'

Stage 2: 1 of selection2

or:
CommandLine|contains: '/cbitsadmin'
CommandLine|contains: '/ccertutil'
CommandLine|contains: '/cpowershell'
CommandLine|contains: '/cschtasks'
CommandLine|contains: '/cwhoami'
CommandLine|contains: '/kbitsadmin'
CommandLine|contains: '/kcertutil'
CommandLine|contains: '/kpowershell'
CommandLine|contains: '/kschtasks'
CommandLine|contains: '/kwhoami'

Stage 3: 1 of selection3

or:
CommandLine|contains: 'cmd /c'
CommandLine|contains: 'cmd /k'
CommandLine|contains: 'cmd /r'
CommandLine|contains: 'cmd.exe /c'
CommandLine|contains: 'cmd.exe /k'
CommandLine|contains: 'cmd.exe /r'

Stage 4: not 1 of filter_*

or:
CommandLine|endswith: 'cmd.exe/c .'
CommandLine: 'cmd.exe /c'
CommandLine|contains: 'AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules'
CommandLine|contains: 'cmd /c '
CommandLine|contains: 'cmd /k '
CommandLine|contains: 'cmd /r '
CommandLine|contains: 'cmd.exe /c '
CommandLine|contains: 'cmd.exe /k '
CommandLine|contains: 'cmd.exe /r '

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLineends_with
  • cmd.exe/c .
CommandLineeq
  • cmd.exe /c
CommandLinematch
  • "cmd/c
  • "cmd/k
  • "cmd/r
  • /cbitsadmin
  • /ccertutil
  • /cpowershell
  • /cschtasks
  • /cwhoami
  • /kbitsadmin
  • /kcertutil
  • /kpowershell
  • /kschtasks
  • /kwhoami
  • AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules
  • \cmd/c
  • \cmd/k
  • \cmd/r
  • cmd /c corpus 4 (sigma 4)
  • cmd /c corpus 5 (sigma 5)
  • cmd /k corpus 3 (sigma 3)
  • cmd /k corpus 5 (sigma 5)
  • cmd /r corpus 3 (sigma 3)
  • cmd /r corpus 5 (sigma 5)
  • cmd.exe /c corpus 3 (sigma 3)
  • cmd.exe /c corpus 6 (sigma 6)
  • cmd.exe /k corpus 3 (sigma 3)
  • cmd.exe /k corpus 6 (sigma 6)
  • cmd.exe /r corpus 3 (sigma 3)
  • cmd.exe /r corpus 6 (sigma 6)
  • cmd.exe/c
  • cmd.exe/k
  • cmd.exe/r