Read Contents From Stdin Via Cmd.EXE

Detect the use of "<" to read and potentially execute a file via cmd.exe

Sigma rule (View on GitHub)

 1title: Read Contents From Stdin Via Cmd.EXE
 2id: 241e802a-b65e-484f-88cd-c2dc10f9206d
 3related:
 4    - id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003
 5      type: obsolete
 6status: test
 7description: Detect the use of "<" to read and potentially execute a file via cmd.exe
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md
10    - https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe
11author: frack113, Nasreddine Bencherchali (Nextron Systems)
12date: 2023-03-07
13tags:
14    - attack.execution
15    - attack.t1059.003
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_cmd:
21        - OriginalFileName: 'Cmd.Exe'
22        - Image|endswith: '\cmd.exe'
23    selection_cli:
24        CommandLine|contains: '<'
25    condition: all of selection_*
26falsepositives:
27    - Unknown
28level: medium

References

Related rules

to-top