Skip to content

Add detection rule for Chaos/Darkside Ransomware style hidden Cmd launching suspicious targets #5767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nasbench merged 12 commits into from
Jan 26, 2026
+157 −0
Merged

Add detection rule for Chaos/Darkside Ransomware style hidden Cmd launching suspicious targets #5767

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
00456b3
Add detection rule for hidden Cmd launching suspicious targets
vl43den Nov 20, 2025
ff87a7e
Update author and date in proc_creation_win_cmd_hidden_susp_targets.yml
vl43den Nov 20, 2025
2dca78f
Fix tag formatting in proc_creation_win_cmd_hidden_susp_targets.yml
vl43den Nov 20, 2025
678ff6b
update rule
swachchhanda000 Dec 4, 2025
580342c
add known-fp
swachchhanda000 Dec 4, 2025
8ad05aa
add regression test
swachchhanda000 Dec 4, 2025
db64428
update: add windash
swachchhanda000 Jan 5, 2026
044b53c
fix: invalid modifier
swachchhanda000 Jan 5, 2026
635d4bb
Apply suggestions from code review
nasbench Jan 24, 2026
2f02a12
Update rules/windows/process_creation/proc_creation_win_cmd_launched_…
nasbench Jan 24, 2026
8ec433b
Merge branch 'master' into patch-2
nasbench Jan 24, 2026
6820c2a
Apply suggestions from code review
nasbench Jan 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/known-FPs.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,3 +74,4 @@ de587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys
c7da8edc-49ae-45a2-9e61-9fd860e4e73d;PUA - Sysinternals Tools Execution - Registry;.*
dcff7e85-d01f-4eb5-badd-84e2e6be8294;Windows Default Domain GPO Modification via GPME;Computer: WIN-FPV0DSIC9O6.sigma.fr
416bc4a2-7217-4519-8dc7-c3271817f1d5;Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location;procexp64\.exe
5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d;Cmd Launched with Hidden Start Flags to Suspicious Targets;xampp
Binary file added ...reation_win_cmd_launched_with_hidden_start_flag/5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.evtx
View file
Open in desktop
Binary file not shown.
66 changes: 66 additions & 0 deletions ...reation_win_cmd_launched_with_hidden_start_flag/5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2025-12-04T07:01:44.982629Z"
}
},
"EventRecordID": 27923,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3116,
"ThreadID": 1656
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2025-12-04 07:01:44.963",
"ProcessGuid": "0197231E-31D8-6931-7209-000000000900",
"ProcessId": 13752,
"Image": "C:\\Windows\\System32\\cmd.exe",
"FileVersion": "10.0.26100.2454 (WinBuild.160101.0800)",
"Description": "Windows Command Processor",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "Cmd.Exe",
"CommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"start /b /min C:\\Users\\xodih\\Music\\random.vbs\"",
"CurrentDirectory": "C:\\WINDOWS\\system32\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-BBFB-692F-3C8C-050000000000",
"LogonId": "0x58c3c",
"TerminalSessionId": 1,
"IntegrityLevel": "Medium",
"Hashes": "MD5=352B525E9C26CB92693899528FE007C2,SHA256=1F1D918EC49E0B7C59B704FF412E1A6E224DA81C08CDA657E1CB482ABAAC146C,IMPHASH=94F3EFC2DF40ECD7229B904540DD83CF",
"ParentProcessGuid": "0197231E-BBFF-692F-8200-000000000900",
"ParentProcessId": 5200,
"ParentImage": "C:\\Windows\\explorer.exe",
"ParentCommandLine": "C:\\WINDOWS\\Explorer.EXE",
"ParentUser": "swachchhanda\\xodih"
}
}
}
12 changes: 12 additions & 0 deletions ...s/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
id: d813db34-f7f0-4713-a419-b491701aa1d1
description: N/A
date: 2025-12-04
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
title: Cmd Launched with Hidden Start Flags to Suspicious Targets
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.evtx
78 changes: 78 additions & 0 deletions rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
title: Cmd Launched with Hidden Start Flags to Suspicious Targets
id: 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
status: experimental
description: |
Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags.
To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories.
This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
references:
- https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous
- https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
- https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start
tags:
- attack.defense-evasion
- attack.t1564.003
author: Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
logsource:
category: process_creation
product: windows
detection:
selection_cmd_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cmd_hidden_start_1:
CommandLine|contains|windash:
- 'start '
- 'start/b'
- 'start/min'
selection_cmd_hidden_start_2:
CommandLine|contains|windash:
- '/b '
- '/b"'
- '/min '
- '/min"'
selection_cli_uncommon_location:
CommandLine|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Windows\Temp\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Documents\'
- '\Downloads\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\'
- '\Music\'
- '\Photos\'
- '\Temporary Internet\'
- '\Users\Public\'
- '\Videos\'
selection_cli_susp_extension:
CommandLine|contains:
- '.bat'
- '.cmd'
- '.cpl'
- '.hta'
- '.js'
- '.ps1'
- '.scr'
- '.vbe'
- '.vbs'
selection_cli_susp_pattern:
CommandLine|contains:
- ' -nop '
- ' -sta '
- '.downloadfile(' # PowerShell download command
- '.downloadstring(' # PowerShell download command
- '-noni '
- '-w hidden '
condition: all of selection_cmd_* and 1 of selection_cli_*
falsepositives:
- Legitimate administrative scripts running from temporary folders.
- Niche software updaters utilizing hidden batch files in ProgramData.
level: medium # Can be increased after an initial baseline and tuning
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml
Loading