there are circumstances where an application may legitimately execute and interact with the windows command-line interface. investigate and modify the lookup file, as appropriate.

t1059
t1059.003
endpoint
splunk

Techniques

T1059
T1059.003

Sample rules

Detect Prohibited Applications Spawning cmd exe

source: splunk
technicques:
- T1059
- T1059.003

Description

This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe.

Detection logic


| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
|search [`prohibited_apps_launching_cmd_macro`] 
| `detect_prohibited_applications_spawning_cmd_exe_filter`