Cmd.exe is likely the most abused Windows process in any kind of attack (targeted, opportunistic, IP theft, financial theft, activist focused). It garners this kind of recognition because it is the default Windows command line console and interpreter. It is difficult, or at least extremely uncommon, for an entire attack lifecycle to not depend on cmd.exe anywhere in its execution. Cmd.exe can be seen launching other utilities (e.g. ping, netstat, net, wscript, cscript, whoami) or even as a stepping stone to launching Powershell or WMIC to carry out other parts of the attack. It is nearly impossible to behaviorally profile cmd.exe parent or grandparent processes unless one's IT environment is very uniform with strong restrictions on application installations. Child processes of cmd.exe are also difficult to baseline or predict. Legitimate child processes can be seen making network connections, modifying registry, writing files, and accessing other processes. One quick win for cmd.exe anomalies would be to look for this process running outside Windows system folders (\system32 or \syswow64, and sometimes Windows side-by-side [WinSxS]), which should rarely happen legitimately.