Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
Command and Scripting Interpreter: Windows Command Shell (T1059.003) |
Severity |
Low |
Description
COMSPEC is an environmental variable that points to cmd.exe. Attackers may use this command to obfuscate their command and avoid detection.
Attacker's Goals
Attackers might use environment variables to try and avoid being detected and obfuscate their commands.
Investigative actions
Investigate the actor and the command line that executed with COMSPEC Verify that the command executed from a trusted source.