Potential CommandLine Path Traversal Via Cmd.EXE
Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
Sigma rule (View on GitHub)
1title: Potential CommandLine Path Traversal Via Cmd.EXE
2id: 087790e3-3287-436c-bccf-cbd0184a7db1
3status: test
4description: Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
5references:
6 - https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/
7 - https://twitter.com/Oddvarmoe/status/1270633613449723905
8author: xknow @xknow_infosec, Tim Shelton
9date: 2020-06-11
10modified: 2023-03-06
11tags:
12 - attack.execution
13 - attack.t1059.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - ParentImage|endswith: '\cmd.exe'
20 - Image|endswith: '\cmd.exe'
21 - OriginalFileName: 'cmd.exe'
22 selection_flags:
23 - ParentCommandLine|contains:
24 - '/c'
25 - '/k'
26 - '/r'
27 - CommandLine|contains:
28 - '/c'
29 - '/k'
30 - '/r'
31 selection_path_traversal:
32 - ParentCommandLine: '/../../'
33 - CommandLine|contains: '/../../'
34 filter_java:
35 CommandLine|contains: '\Tasktop\keycloak\bin\/../../jre\bin\java'
36 condition: all of selection_* and not 1 of filter_*
37falsepositives:
38 - Java tools are known to produce false-positive when loading libraries
39level: high
References
-
This one is about an interesting behavior 🤭 I identified in cmd.exe in result of many weeks of intermittent (private time, every now and then) research in pursuit of some new OS Command Injection attack vectors. So I was mostly trying to: * find an encoding missmatch between some command check/
Read More
Related rules
- AWS EC2 Startup Shell Script Change
- Command Line Execution with Suspicious URL and AppData Strings
- Conhost.exe CommandLine Path Traversal
- Elise Backdoor Activity
- Exploited CVE-2020-10189 Zoho ManageEngine