This note documents detection patterns related to Command Shell Abuse within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Core source for cmd.exe execution and arguments. |
| Sysmon | 1 | Process creation | Critical | Best source for lineage, hashes, and parent process context. |
| Sysmon | 11 | File create | High | Output files, redirected results, dropped payloads. |
| Sysmon | 3 | Network connection | High | Shell-triggered outbound connections. |
| PowerShell | 4104 | Script block logging | Medium | When PowerShell launches cmd wrappers. |
| Sysmon | 23 | File delete | Medium | Cleanup after shell execution. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Suspicious parent launches cmd | Office, browser, service, WMI | Critical | High-confidence signal. |
| Redirection abuse | >, 2>&1, pipes | High | Output capture / stealth clue. |
| Chained commands | &&, ` | , &` | |
| Encoded child follows | cmd spawns PowerShell / LOLBIN | Critical | Staging indicator. |
| Hidden shell flags | /Q /c | High | Common stealth flags. |
| Short-lived shell | Rapid execution and exit | High | Operator automation clue. |
Common Tools
| Tool | Usage |
|---|---|
| cmd.exe | Core shell execution |
| conhost.exe | Console host |
| batch scripts | Multi-command staging |
| schtasks.exe | Shell trigger |
| services.exe | Service-spawned shell |
Relevant Artifacts
- Security Event ID 4688
- Sysmon Event IDs 1, 3, 11, 23
- Prefetch:
CMD.EXECONHOST.EXE
- Amcache / ShimCache
- Batch files
- MFT / USN for redirected outputs
- EDR process tree
MITRE ATT&CK References
- T1059.003 Windows Command Shell
Decision Tree
-
Which parent launched cmd?
- User shell
- Office
- Service
- WMI
-
Arguments suspicious?
/c/q- Redirection
- Chain operators
-
Child process follows?
- PowerShell
- LOLBIN
- Admin tools
-
Output stored?
- File
- Share
- Temp folder
-
Expand:
- Adjacent recon
- Persistence
- Network
-
Scope:
- Single shell
- Burst shells
- Scripted chain
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4688
| where NewProcessName endswith "cmd.exe"
| project TimeGenerated, Computer, ParentProcessName, CommandLine
Sysmon
| where EventID == 1
| where Image endswith "\\cmd.exe"
| project TimeGenerated, Computer, ParentImage, CommandLine
EQL
process where process.name == "cmd.exe"
sequence by host.name with maxspan=5m
[ process where process.name == "cmd.exe" ]
[ process where process.parent.name == "cmd.exe" ]
Sigma
title: Command Shell Abuse Detection
id: 7d3e2b41-command-shell
status: experimental
description: Detects suspicious cmd.exe execution
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: security
detection:
selection:
NewProcessName|endswith: '\cmd.exe'
condition: selection
fields:
- ParentProcessName
- CommandLine
falsepositives:
- Administrative shell use
level: medium
tags:
- attack.execution
- attack.t1059.003
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Parent-child monitoring | Alert on abnormal shell parents | Critical | Strong signal |
| Command-line retention | Preserve shell arguments | Critical | Essential context |
| Sequence analytics | Detect shell chains | High | Strong operator detection |
| Application control | Restrict scripted shells | High | Reduces abuse |
| EDR lineage | Track full shell tree | Critical | Best operational visibility |