Techniques
Sample rules
Cmd Launched with Hidden Start Flags to Suspicious Targets
- source: sigma
- technicques:
- t1564
- t1564.003
Description
Detects cmd.exe executing commands with the “start” utility using “/b” (no window) or “/min” (minimized) flags. To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories. This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
Detection logic
condition: all of selection_cmd_* and 1 of selection_cli_*
selection_cli_susp_extension:
CommandLine|contains:
- .bat
- .cmd
- .cpl
- .hta
- .js
- .ps1
- .scr
- .vbe
- .vbs
selection_cli_susp_pattern:
CommandLine|contains:
- ' -nop '
- ' -sta '
- .downloadfile(
- .downloadstring(
- '-noni '
- '-w hidden '
selection_cli_uncommon_location:
CommandLine|contains:
- :\Perflogs\
- :\Temp\
- :\Users\Default\
- :\Windows\Temp\
- \AppData\Roaming\
- \Contacts\
- \Documents\
- \Downloads\
- \Favorites\
- \Favourites\
- \inetpub\
- \Music\
- \Photos\
- \Temporary Internet\
- \Users\Public\
- \Videos\
selection_cmd_hidden_start_1:
CommandLine|contains|windash:
- 'start '
- start/b
- start/min
selection_cmd_hidden_start_2:
CommandLine|contains|windash:
- '/b '
- /b"
- '/min '
- /min"
selection_cmd_img:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe