← Back to Explore
sublimelowRule
Attachment: cmd file extension
Detects messages containing CMD (Command Prompt) batch files, either as direct attachments or within compressed archives. CMD files can execute arbitrary system commands and are commonly used to deliver malware or perform unauthorized system modifications.
Detection Query
type.inbound
and length(attachments) > 0
and any(attachments,
.file_extension =~ "cmd"
or (
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), .file_extension =~ "cmd")
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Attachment: cmd file extension"
description: "Detects messages containing CMD (Command Prompt) batch files, either as direct attachments or within compressed archives. CMD files can execute arbitrary system commands and are commonly used to deliver malware or perform unauthorized system modifications."
type: "rule"
severity: "low"
source: |
type.inbound
and length(attachments) > 0
and any(attachments,
.file_extension =~ "cmd"
or (
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), .file_extension =~ "cmd")
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Scripting"
detection_methods:
- "Archive analysis"
- "File analysis"
id: "a902b8ed-b8ef-5232-b6bd-0fe915e6a161"