Read Contents From Stdin Via Cmd.EXE
Detect the use of "<" to read and potentially execute a file via cmd.exe
Sigma rule (View on GitHub)
1title: Read Contents From Stdin Via Cmd.EXE
2id: 241e802a-b65e-484f-88cd-c2dc10f9206d
3related:
4 - id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003
5 type: obsoletes
6status: test
7description: Detect the use of "<" to read and potentially execute a file via cmd.exe
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md
10 - https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe
11author: frack113, Nasreddine Bencherchali (Nextron Systems)
12date: 2023/03/07
13tags:
14 - attack.execution
15 - attack.t1059.003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_cmd:
21 - OriginalFileName: 'Cmd.Exe'
22 - Image|endswith: '\cmd.exe'
23 selection_cli:
24 CommandLine|contains: '<'
25 condition: all of selection_*
26falsepositives:
27 - Unknown
28level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
The most obvious method would be to read ntdll.dll from the disk using CreateFile and ReadFile, but this triggers the AV heuristics engine as suspected. My next idea was to use a trusted Microsoft ...
Read More
Related rules
- HackTool - Jlaive In-Memory Assembly Execution
- PUA - AdvancedRun Execution
- Operator Bloopers Cobalt Strike Commands
- Operator Bloopers Cobalt Strike Modules
- HackTool - CrackMapExec Execution Patterns