Cmd Launched with Hidden Start Flags to Suspicious Targets

Rule Info

Name
Cmd Launched with Hidden Start Flags to Suspicious Targets
Author
Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags. To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories. This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
Reference
https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous
Date
2026-01-24 00:00:00
Modified
None
Id
5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
Tags
attack.defense-evasion attack.t1564.003
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d

Rule History

Author
Title
Date
Commit
Vladan Sekulic
Merge PR #5767 from @vl43den - Add `Cmd Launched with Hidden Start Flags to Suspicious Targets`
2026-01-26
092b852af
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022