ec436aeee41857eee5875efdb7166fe043349db5f58f3ee9fc4ff7f50005767f
Author: Microsoft
Source: Wild
Threat: LOLBin
Summary
The Windows Command Prompt is the built-in Windows command line interpreter.
EchoTrail Prevalence Score (EPS)
95.87
Rank Analysis
Host Prevalence
94.1%
Execution Rank
3rd
Behavioral Analysis
Top Filenames
loading...
Top Paths
C:\Windows\System32
97.78 %
loading...
Top Network Ports
53
38.47 %
loading...
Ancestry Analysis
Top GrandParents
Top Parents
Top Children
loading...
Security Analysis
Intel
Cmd.exe is likely the most abused Windows process in any kind of attack (targeted, opportunistic, IP theft, financial theft, activist focused). It garners this kind of recognition because it is the default Windows command line console and interpreter. It is difficult, or at least extremely uncommon, for an entire attack lifecycle to not depend on cmd.exe anywhere in its execution. Cmd.exe can be seen launching other utilities (e.g. ping, netstat, net, wscript, cscript, whoami) or even as a stepping stone to launching Powershell or WMIC to carry out other parts of the attack. It is nearly impossible to behaviorally profile cmd.exe parent or grandparent processes unless one's IT environment is very uniform with strong restrictions on application installations. Child processes of cmd.exe are also difficult to baseline or predict. Legitimate child processes can be seen making network connections, modifying registry, writing files, and accessing other processes. One quick win for cmd.exe anomalies would be to look for this process running outside Windows system folders (\system32 or \syswow64, and sometimes Windows side-by-side [WinSxS]), which should rarely happen legitimately.