Merge PR #5767 from @vl43den - Add Cmd Launched with Hidden Start Flags to Suspicious Targets

new: Cmd Launched with Hidden Start Flags to Suspicious Targets

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>

Author: 3 people

.github/workflows/known-FPs.csv

@@ -74,3 +74,4 @@ de587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys
 c7da8edc-49ae-45a2-9e61-9fd860e4e73d;PUA - Sysinternals Tools Execution - Registry;.*
 dcff7e85-d01f-4eb5-badd-84e2e6be8294;Windows Default Domain GPO Modification via GPME;Computer: WIN-FPV0DSIC9O6.sigma.fr
 416bc4a2-7217-4519-8dc7-c3271817f1d5;Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location;procexp64\.exe 
+5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d;Cmd Launched with Hidden Start Flags to Suspicious Targets;xampp

regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.evtx

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-04T07:01:44.982629Z"
+        }
+      },
+      "EventRecordID": 27923,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3116,
+          "ThreadID": 1656
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-04 07:01:44.963",
+      "ProcessGuid": "0197231E-31D8-6931-7209-000000000900",
+      "ProcessId": 13752,
+      "Image": "C:\\Windows\\System32\\cmd.exe",
+      "FileVersion": "10.0.26100.2454 (WinBuild.160101.0800)",
+      "Description": "Windows Command Processor",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "Cmd.Exe",
+      "CommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"start /b /min C:\\Users\\xodih\\Music\\random.vbs\"",
+      "CurrentDirectory": "C:\\WINDOWS\\system32\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-BBFB-692F-3C8C-050000000000",
+      "LogonId": "0x58c3c",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=352B525E9C26CB92693899528FE007C2,SHA256=1F1D918EC49E0B7C59B704FF412E1A6E224DA81C08CDA657E1CB482ABAAC146C,IMPHASH=94F3EFC2DF40ECD7229B904540DD83CF",
+      "ParentProcessGuid": "0197231E-BBFF-692F-8200-000000000900",
+      "ParentProcessId": 5200,
+      "ParentImage": "C:\\Windows\\explorer.exe",
+      "ParentCommandLine": "C:\\WINDOWS\\Explorer.EXE",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.json

@@ -0,0 +1,12 @@
+id: d813db34-f7f0-4713-a419-b491701aa1d1
+description: N/A
+date: 2025-12-04
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
+      title: Cmd Launched with Hidden Start Flags to Suspicious Targets
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.evtx

regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml

@@ -0,0 +1,78 @@
+title: Cmd Launched with Hidden Start Flags to Suspicious Targets
+id: 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
+status: experimental
+description: |
+    Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags.
+    To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories.
+    This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
+references:
+    - https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous
+    - https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
+    - https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one
+    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start
+tags:
+    - attack.defense-evasion
+    - attack.t1564.003
+author: Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-01-24
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cmd_img:
+        - Image|endswith: '\cmd.exe'
+        - OriginalFileName: 'Cmd.Exe'
+    selection_cmd_hidden_start_1:
+        CommandLine|contains|windash:
+            - 'start '
+            - 'start/b'
+            - 'start/min'
+    selection_cmd_hidden_start_2:
+        CommandLine|contains|windash:
+            - '/b '
+            - '/b"'
+            - '/min '
+            - '/min"'
+    selection_cli_uncommon_location:
+        CommandLine|contains:
+            - ':\Perflogs\'
+            - ':\Temp\'
+            - ':\Users\Default\'
+            - ':\Windows\Temp\'
+            - '\AppData\Roaming\'
+            - '\Contacts\'
+            - '\Documents\'
+            - '\Downloads\'
+            - '\Favorites\'
+            - '\Favourites\'
+            - '\inetpub\'
+            - '\Music\'
+            - '\Photos\'
+            - '\Temporary Internet\'
+            - '\Users\Public\'
+            - '\Videos\'
+    selection_cli_susp_extension:
+        CommandLine|contains:
+            - '.bat'
+            - '.cmd'
+            - '.cpl'
+            - '.hta'
+            - '.js'
+            - '.ps1'
+            - '.scr'
+            - '.vbe'
+            - '.vbs'
+    selection_cli_susp_pattern:
+        CommandLine|contains:
+            - ' -nop '
+            - ' -sta '
+            - '.downloadfile(' # PowerShell download command
+            - '.downloadstring(' # PowerShell download command
+            - '-noni '
+            - '-w hidden '
+    condition: all of selection_cmd_* and 1 of selection_cli_*
+falsepositives:
+    - Legitimate administrative scripts running from temporary folders.
+    - Niche software updaters utilizing hidden batch files in ProgramData.
+level: medium # Can be increased after an initial baseline and tuning
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml