CMD.exe Inline APT Reconnaissance — Basic Detection
Detects cmd.exe executing common APT reconnaissance commands inline via the /C flag, including whoami, hostname, net user, net group, systeminfo, ipconfig /all, and nltest. A beginner-friendly detection rule aligned with APT3 T1059.003 tradecraft and suitable as a baseline for new analysts building their first Falcon detection queries.
EDRaptcmd-exewhoamireconnaissancet1059T1059.003T1082T1033
FDR Beginnerby darkreitor 1 min read
Query
#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)cmd\.exe/
| CommandLine=/(?i)\/[cC]\s+(whoami|hostname|net\s+(user|group|localgroup)|systeminfo|ipconfig\s*\/all|nltest|quser)/
| select([ComputerName, UserName, CommandLine, ParentBaseFileName, @timestamp])
| sort(@timestamp, order=desc, limit=100)Explanation
| Pipe | Descripción | |
|---|---|---|
#repo="base_sensor" #event_simpleName=ProcessRollup2 | Filter to process execution events from the Falcon FDR endpoint sensor | |
FileName=/(?i)cmd\.exe/ | Scope exclusively to cmd.exe — the Windows command interpreter documented in APT3 operational playbooks | |
| `CommandLine=/(?i)\/[cC]\s+(whoami\ | ...)/` | Match /C or /c followed by known recon commands — the /C flag signals inline one-shot execution typical of APT operators issuing single commands interactively |
select([...]) | Return key forensic fields only: hostname, user, full command line, parent process, and timestamp for fast analyst review without noise | |
sort(@timestamp, order=desc, limit=100) | Display the 100 most recent matches ordered by time for real-time SOC triage workflows |
Adjustable Variables
Extend the CommandLine regex with additional recon commands such as arp, netstat, or nslookup to match broader APT reconnaissance tradecraft. Add a NOT filter on ParentBaseFileName to exclude known IT automation tools that legitimately call these commands. Raise the limit above 100 for retrospective threat hunting over longer time windows.