This is already built into the "sym_win_basic_sbp" policy that is created on install.
CMD and a whole load of other basic MS processes are built into the policy's Global Prevent list. Alternatively, you could just create an Application Rule for CMD and route it straight to the Deny sandbox