Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer
title: Cmd.EXE Missing Space Characters Execution Anomaly
id: a16980c2-0c56-4de0-9a79-17971979efdd
status: test
description: |
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.
This could be a sign of obfuscation of a fat finger problem (typo by the developer).
references:
- https://twitter.com/cyb3rops/status/1562072617552678912
- https://ss64.com/nt/cmd.html
author: Florian Roth (Nextron Systems)
date: 2022-08-23
modified: 2023-03-06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection1: # missing space before the /c
CommandLine|contains:
- 'cmd.exe/c'
- '\cmd/c' # just cmd/c would be prone to false positives
- '"cmd/c'
- 'cmd.exe/k'
- '\cmd/k' # just cmd/k would be prone to false positives
- '"cmd/k'
- 'cmd.exe/r'
- '\cmd/r' # just cmd/r would be prone to false positives
- '"cmd/r'
selection2: # special cases verified via Virustotal Enterprise search
CommandLine|contains:
- '/cwhoami'
- '/cpowershell'
- '/cschtasks'
- '/cbitsadmin'
- '/ccertutil'
- '/kwhoami'
- '/kpowershell'
- '/kschtasks'
- '/kbitsadmin'
- '/kcertutil'
selection3: # missing space after the /c
CommandLine|contains:
- 'cmd.exe /c'
- 'cmd /c'
- 'cmd.exe /k'
- 'cmd /k'
- 'cmd.exe /r'
- 'cmd /r'
filter_generic:
CommandLine|contains:
- 'cmd.exe /c '
- 'cmd /c '
- 'cmd.exe /k '
- 'cmd /k '
- 'cmd.exe /r '
- 'cmd /r '
filter_fp:
- CommandLine|contains: 'AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules'
- CommandLine|endswith: 'cmd.exe/c .'
- CommandLine: 'cmd.exe /c'
condition: 1 of selection* and not 1 of filter_*
falsepositives:
- Unknown
level: high
imProcessCreate
| where ((TargetProcessCommandLine contains "cmd.exe/c" or TargetProcessCommandLine contains "\\cmd/c" or TargetProcessCommandLine contains "\"cmd/c" or TargetProcessCommandLine contains "cmd.exe/k" or TargetProcessCommandLine contains "\\cmd/k" or TargetProcessCommandLine contains "\"cmd/k" or TargetProcessCommandLine contains "cmd.exe/r" or TargetProcessCommandLine contains "\\cmd/r" or TargetProcessCommandLine contains "\"cmd/r") or (TargetProcessCommandLine contains "/cwhoami" or TargetProcessCommandLine contains "/cpowershell" or TargetProcessCommandLine contains "/cschtasks" or TargetProcessCommandLine contains "/cbitsadmin" or TargetProcessCommandLine contains "/ccertutil" or TargetProcessCommandLine contains "/kwhoami" or TargetProcessCommandLine contains "/kpowershell" or TargetProcessCommandLine contains "/kschtasks" or TargetProcessCommandLine contains "/kbitsadmin" or TargetProcessCommandLine contains "/kcertutil") or (TargetProcessCommandLine contains "cmd.exe /c" or TargetProcessCommandLine contains "cmd /c" or TargetProcessCommandLine contains "cmd.exe /k" or TargetProcessCommandLine contains "cmd /k" or TargetProcessCommandLine contains "cmd.exe /r" or TargetProcessCommandLine contains "cmd /r")) and (not(((TargetProcessCommandLine contains "cmd.exe /c " or TargetProcessCommandLine contains "cmd /c " or TargetProcessCommandLine contains "cmd.exe /k " or TargetProcessCommandLine contains "cmd /k " or TargetProcessCommandLine contains "cmd.exe /r " or TargetProcessCommandLine contains "cmd /r ") or (TargetProcessCommandLine in~ ("cmd.exe /c") or TargetProcessCommandLine contains "AppData\\Local\\Programs\\Microsoft VS Code\\resources\\app\\node_modules" or TargetProcessCommandLine endswith "cmd.exe/c ."))))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |