
Summary
The rule targets the execution of .cmd files via cmd.exe, a technique often employed by adversaries to masquerade their malicious activities as legitimate operations. By manipulating artifacts to appear benign, attackers can bypass security mechanisms designed to protect systems. This detection focuses on instances where cmd.exe is invoked with the '/c' parameter, indicating that the command execute is to run scripts or commands. The context here involves malware behaviors where .cmd files masquerade as safe file types, such as PDFs within zip archives, illustrating a common tactic used by various threat actors including Andariel, APT28, and others. The querying logic is implemented in a Snowflake environment and seeks to match relevant process events logged from endpoint devices utilizing Crowdstrike EDR logs. Notably, this technique has been attributed to sophisticated threats, reinforcing the importance of meticulous monitoring for these command executions.
Categories
- Endpoint
- Windows
Data Sources
- Process
- Application Log
ATT&CK Techniques
- T1036
- T1059.003
Created: 2024-02-09