DET0202 Behavioral Detection of Windows Command Shell Execution

Item	Value
ID	DET0202
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1059.003 (Windows Command Shell)

Analytics

Windows

AN0578

Detects interactive or scripted abuse of cmd.exe, batch files, or shell invocation chains. Focuses on parent-child relationships (e.g., cmd.exe launched from unusual parents), anomalous command-line parameters, and chaining with discovery, credential access, or lateral movement behaviors.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Security	EventCode=4688
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7
Script Execution (DC0029)	EDR:scriptblock	Process Tree + Script Block Logging

Mutable Elements

Field	Description
ParentProcessName	Cmd.exe launched from uncommon parents (e.g., msedge.exe, winword.exe) may indicate abuse.
TimeWindow	Cmd or .bat execution during non-working hours may indicate automation or C2 activity.
CommandLinePattern	Flags suspicious switches (e.g., /c ping, /k whoami) or command chaining (&&, ^).
ScriptStoragePath	Batch file execution from %TEMP%, C:\Users\Public, or external drives.
UserContext	Flags admin-level users executing cmd outside expected baselines.