EDITOR’S NOTE: We initially published this article before MITRE significantly updated ATT&CK data sources and components. As a result, we use the term “process command line” in this article to refer to the data source component that MITRE would later categorize as “command execution.”
Command line refers to the arguments that are passed to an executable process in Windows. It is useful information for defenders as it can reveal contextual clues about the execution of a suspicious process. For example, adversaries regularly supply malicious PowerShell code as command-line arguments via the
-EncodedCommand parameters. For executables that support arguments, command-line context is incredibly valuable to defenders looking to identify malicious behavior and/or aid incident response.
Any user-mode process, even if it isn’t a dedicated console application (for example, a GUI application) can have associated command-line arguments. And while it is generally the case that if an application implements command-line parameters that they will be documented accordingly, this is not always the case. Many applications have undocumented command-line parameters.
Why focus on process command line?
Defenders and vendors rely on process command line to discern benign from suspicious or malicious activity because it is among the most omnipresent data sources on an endpoint. Process command line can tell us how an application was intended to be used and in some cases can supply us directly with adversary payloads. For example, adversaries often supply malicious encoded PowerShell commands directly at the command line using any of the
-EncodedCommand parameter variations. The way in which PowerShell eases post-exploitation abuse for adversaries also creates a unique and straightforward means of detecting malicious behavior based on process command line alone.
But this begs the question: what does legitimate PowerShell command-line activity look like?, which begs the follow-on question an adversary may pose: to what extent can I blend in with seemingly legitimate looking PowerShell command-line activity? So while you can be generally confident that known malicious evidence in the command line is malicious, you can’t always trust that non-malicious looking command line is not malicious activity in hiding.
What data sources are available to retrieve process command line?
The following data sources are either built into the operating system or are freely available to collect process command line. Note: This is a non-exhaustive list of data sources.
Windows Management Instrumentation (WMI)