Cmd Launched with Hidden Start Flags to Suspicious Targets

Original Source: [Sigma source]
Title: Cmd Launched with Hidden Start Flags to Suspicious Targets
Status: experimental
Description:Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags. To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories. This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
References:
  -https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous
   -https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
   -https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one
   -https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start
 Author: Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2026-01-24
modified:None
Tags:
  • -'attack.defense-evasion'
  • -'attack.t1564.003'
Logsource:
  • category: process_creation
  • product: windows
Detection:
  selection_cmd_img:
Image|endswith:'\cmd.exe' OriginalFileName:'Cmd.Exe'   selection_cmd_hidden_start_1:
    CommandLine|contains|windash:
      -'start '
      -'start/b'
      -'start/min'

  selection_cmd_hidden_start_2:
    CommandLine|contains|windash:
      -'/b '
      -'/b"'
      -'/min '
      -'/min"'

  selection_cli_uncommon_location:
    CommandLine|contains:
      -':\Perflogs\'
      -':\Temp\'
      -':\Users\Default\'
      -':\Windows\Temp\'
      -'\AppData\Roaming\'
      -'\Contacts\'
      -'\Documents\'
      -'\Downloads\'
      -'\Favorites\'
      -'\Favourites\'
      -'\inetpub\'
      -'\Music\'
      -'\Photos\'
      -'\Temporary Internet\'
      -'\Users\Public\'
      -'\Videos\'

  selection_cli_susp_extension:
    CommandLine|contains:
      -'.bat'
      -'.cmd'
      -'.cpl'
      -'.hta'
      -'.js'
      -'.ps1'
      -'.scr'
      -'.vbe'
      -'.vbs'

  selection_cli_susp_pattern:
    CommandLine|contains:
      -' -nop '
      -' -sta '
      -'.downloadfile('
      -'.downloadstring('
      -'-noni '
      -'-w hidden '

  condition:all of selection_cmd_* and 1 of selection_cli_*
Falsepositives:
  -Legitimate administrative scripts running from temporary folders.
  -Niche software updaters utilizing hidden batch files in ProgramData.
Level: medium

© 2024 DetectionCode Website. All Rights Reserved.