Sigma rules for Chaos
1 rules · scoped to tool · back to Chaos
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Cmd Launched with Hidden Start Flags to Suspicious Targets
id: 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
status: experimental
description: |
Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags.
To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories.
This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
references:
- https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous
- https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
- https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start
tags:
- attack.stealth
- attack.t1564.003
author: Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
logsource:
category: process_creation
product: windows
detection:
selection_cmd_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cmd_hidden_start_1:
CommandLine|contains|windash:
- 'start '
- 'start/b'
- 'start/min'
selection_cmd_hidden_start_2:
CommandLine|contains|windash:
- '/b '
- '/b"'
- '/min '
- '/min"'
selection_cli_uncommon_location:
CommandLine|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Windows\Temp\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Documents\'
- '\Downloads\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\'
- '\Music\'
- '\Photos\'
- '\Temporary Internet\'
- '\Users\Public\'
- '\Videos\'
selection_cli_susp_extension:
CommandLine|contains:
- '.bat'
- '.cmd'
- '.cpl'
- '.hta'
- '.js'
- '.ps1'
- '.scr'
- '.vbe'
- '.vbs'
selection_cli_susp_pattern:
CommandLine|contains:
- ' -nop '
- ' -sta '
- '.downloadfile(' # PowerShell download command
- '.downloadstring(' # PowerShell download command
- '-noni '
- '-w hidden '
condition: all of selection_cmd_* and 1 of selection_cli_*
falsepositives:
- Legitimate administrative scripts running from temporary folders.
- Niche software updaters utilizing hidden batch files in ProgramData.
level: medium # Can be increased after an initial baseline and tuning
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml