Skip to content

Hide Navigation Hide TOC

Cmd Launched with Hidden Start Flags to Suspicious Targets (5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d)

Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags. To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories. This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.

Cluster A Galaxy A Cluster B Galaxy B Level
Cmd Launched with Hidden Start Flags to Suspicious Targets (5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d) Sigma-Rules Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 1
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 2