sigmamediumHunting

Powershell Execute Batch Script

Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system

MITRE ATT&CK

T1059.003

execution

Detection Query

selection_start:
  ScriptBlockText|contains: Start-Process
selection_batch:
  ScriptBlockText|contains:
    - .cmd
    - .bat
condition: all of selection_*

Author

frack113

Created

2022-01-02

Data Sources

windowsps_script

Platforms

windows

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script

Tags

attack.executionattack.t1059.003

Raw Content

title: Powershell Execute Batch Script
id: b5522a23-82da-44e5-9c8b-e10ed8955f88
status: test
description: |
    Adversaries may abuse the Windows command shell for execution.
    The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.
    The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.
    Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.
    Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script
author: frack113
date: 2022-01-02
tags:
    - attack.execution
    - attack.t1059.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_start:
        ScriptBlockText|contains: Start-Process
    selection_batch:
        ScriptBlockText|contains:
            - '.cmd'
            - '.bat'
    condition: all of selection_*
falsepositives:
    - Legitimate administration script
level: medium