Add detection rule for Chaos/Darkside Ransomware style hidden Cmd launching suspicious targets

[vl43den]

Summary of the Pull Request

Adds a new detection rule that identifies usage of cmd.exe with the internal start command using /b (hidden) or /min (minimized) flags.

While start /b is occasionally used by legitimate software, this rule increases fidelity by restricting detection to "risky targets" only. Specifically, it triggers when the hidden command targets scripting interpreters like PowerShell, pwsh, cscript/wscript extensions (.vbs, .js) or suspicious directories such as temp folders, public user folders, and ProgramData.

Also a heavy nod to pH-T's rule in rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml !

Examples/Inspiration from fortinet threat research:

From the Chaos Ransomware Research:
The downloader falls back to this command if the API call fails. Note the use of the Temp folder variable.

cmd.exe /c start /b "%TMP%\\svc[XXXX].tmp"

From the DarkSide Ransomware Research:
Uses a double-hidden method (start /min + powershell -w hidden) to launch a Cobalt Strike beacon.

%COMPSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand <Encoded SMB Beacon payload>

From the Emotet Trojan Research:
The VBScript executes this command to launch the dropped DLL payload from ProgramData silently.

cmd /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\puihoud.dll,tjpleowdsyf

Changelog

Cmd Launched with Hidden Start Flags to Suspicious Targets

Example Log Event

{
  "EventID": 4688,
  "Channel": "Security",
  "EventData": {
    "NewProcessName": "C:\\Windows\\System32\\cmd.exe",
    "ParentProcessName": "C:\\Program Files\\PowerShell\\7\\pwsh.exe",
    "CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c \"start /b powershell.exe -WindowStyle Hidden -Command Write-Host 'Malware Simulation'\"",
    "OriginalFileName": "Cmd.Exe"
  }
}

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[Copilot]

Pull request overview

This PR introduces a new Sigma detection rule to identify malicious use of cmd.exe with the internal start command using hidden execution flags (/b or /min). The rule focuses on high-fidelity detections by restricting triggers to suspicious targets including scripting interpreters and risky directories like temp folders, public user folders, and ProgramData. This technique has been observed in Chaos, DarkSide, and Emotet malware campaigns.

Key Changes:

• New detection rule for hidden cmd.exe execution patterns targeting suspicious files/locations
• Regression test data including JSON test case and info.yml metadata
• Known false positive entry for xampp in the workflow configuration

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated no comments.

File	Description
rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag.yml	Core detection rule defining the logic for identifying hidden cmd.exe execution with suspicious targets
regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml	Regression test metadata linking the test case to the detection rule
regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.json	JSON test event demonstrating a positive detection scenario
.github/workflows/known-FPs.csv	Known false positive exclusion for xampp to reduce noise

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[frack113]

Windows love redteams, I have try some patern of the windash modifier and it's work 😫
https://sigmahq.io/docs/basics/modifiers.html#windash