Detects interactive or scripted abuse of cmd.exe, batch files, or shell invocation chains. Focuses on parent-child relationships (e.g., cmd.exe launched from unusual parents), anomalous command-line parameters, and chaining with discovery, credential access, or lateral movement behaviors.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Script Execution (DC0029) | EDR:scriptblock | Process Tree + Script Block Logging |
| Field | Description |
|---|---|
| ParentProcessName | Cmd.exe launched from uncommon parents (e.g., msedge.exe, winword.exe) may indicate abuse. |
| TimeWindow | Cmd or .bat execution during non-working hours may indicate automation or C2 activity. |
| CommandLinePattern | Flags suspicious switches (e.g., /c ping, /k whoami) or command chaining (&&, ^). |
| ScriptStoragePath | Batch file execution from %TEMP%, C:\Users\Public, or external drives. |
| UserContext | Flags admin-level users executing cmd outside expected baselines. |