Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Cmd.EXE Missing Space Characters Execution Anomaly

Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer).

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Tue Aug 23Updated Mon Mar 06a16980c2-0c56-4de0-9a79-17971979efddwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic5 selectors
detection:
    selection1:  # missing space before the /c
        CommandLine|contains:
            - 'cmd.exe/c'
            - '\cmd/c'  # just cmd/c would be prone to false positives
            - '"cmd/c'
            - 'cmd.exe/k'
            - '\cmd/k'  # just cmd/k would be prone to false positives
            - '"cmd/k'
            - 'cmd.exe/r'
            - '\cmd/r'  # just cmd/r would be prone to false positives
            - '"cmd/r'
    selection2: # special cases verified via Virustotal Enterprise search
        CommandLine|contains:
            - '/cwhoami'
            - '/cpowershell'
            - '/cschtasks'
            - '/cbitsadmin'
            - '/ccertutil'
            - '/kwhoami'
            - '/kpowershell'
            - '/kschtasks'
            - '/kbitsadmin'
            - '/kcertutil'
    selection3:  # missing space after the /c
        CommandLine|contains:
            - 'cmd.exe /c'
            - 'cmd /c'
            - 'cmd.exe /k'
            - 'cmd /k'
            - 'cmd.exe /r'
            - 'cmd /r'
    filter_generic:
        CommandLine|contains:
            - 'cmd.exe /c '
            - 'cmd /c '
            - 'cmd.exe /k '
            - 'cmd /k '
            - 'cmd.exe /r '
            - 'cmd /r '
    filter_fp:
        - CommandLine|contains: 'AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules'
        - CommandLine|endswith: 'cmd.exe/c .'
        - CommandLine: 'cmd.exe /c'
    condition: 1 of selection* and not 1 of filter_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
twitter.com
2
Resolving title…
ss64.com
MITRE ATT&CK
Rule Metadata
Rule ID
a16980c2-0c56-4de0-9a79-17971979efdd
Status
test
Level
high
Type
Detection
Created
Tue Aug 23
Modified
Mon Mar 06
Author
Florian Roth (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml
Raw Tags
attack.executionattack.t1059.001
View on GitHub