CMD Shell Output Redirect

Detects the use of the redirection character ">" to redicrect information in commandline

Sigma rule (View on GitHub)

 1title: CMD Shell Output Redirect
 2id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a
 3related:
 4    - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
 5      type: similar
 6status: test
 7description: Detects the use of the redirection character ">" to redicrect information in commandline
 8references:
 9    - https://ss64.com/nt/syntax-redirection.html
10author: frack113
11date: 2022/01/22
12modified: 2023/03/07
13tags:
14    - attack.discovery
15    - attack.t1082
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_cmd:
21        - OriginalFileName: 'Cmd.Exe'
22        - Image|endswith: '\cmd.exe'
23    selection_cli:
24        CommandLine|contains: '>'
25    filter_idm_extension:
26        CommandLine|contains:
27            - 'C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe'
28            - 'chrome-extension://'
29            - '\\.\pipe\chrome.nativeMessaging'
30    condition: all of selection_* and not 1 of filter_*
31falsepositives:
32    - Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment
33level: low

References

Related rules

to-top