Read Contents From Stdin Via Cmd.EXE
Detect the use of "<" to read and potentially execute a file via cmd.exe
Sigma rule (View on GitHub)
1title: Read Contents From Stdin Via Cmd.EXE
2id: 241e802a-b65e-484f-88cd-c2dc10f9206d
3related:
4 - id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003
5 type: obsolete
6status: test
7description: Detect the use of "<" to read and potentially execute a file via cmd.exe
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md
10 - https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe
11author: frack113, Nasreddine Bencherchali (Nextron Systems)
12date: 2023-03-07
13tags:
14 - attack.execution
15 - attack.t1059.003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_cmd:
21 - OriginalFileName: 'Cmd.Exe'
22 - Image|endswith: '\cmd.exe'
23 selection_cli:
24 CommandLine|contains: '<'
25 condition: all of selection_*
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- AWS EC2 Startup Shell Script Change
- Command Line Execution with Suspicious URL and AppData Strings
- Conhost.exe CommandLine Path Traversal
- Elise Backdoor Activity
- Exploited CVE-2020-10189 Zoho ManageEngine