Potential Download/Upload Activity Using Type Command

Detects usage of the "type" command to download/upload data from WebDAV server

Sigma rule (View on GitHub)

 1title: Potential Download/Upload Activity Using Type Command
 2id: aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f
 3status: test
 4description: Detects usage of the "type" command to download/upload data from WebDAV server
 5references:
 6    - https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-12-14
 9tags:
10    - attack.command-and-control
11    - attack.t1105
12logsource:
13    product: windows
14    category: process_creation
15detection:
16    # Note that since built in CMD commands do not trigger a process creation. This would be detected only if used in a "/c" command
17    selection_upload:
18        CommandLine|contains|all:
19            - 'type '
20            - ' > \\\\'
21    selection_download:
22        CommandLine|contains|all:
23            - 'type \\\\'
24            - ' > ' # Space are added to increase atom length and speed up matching. If your backend can handle this remove the space
25    condition: 1 of selection_*
26falsepositives:
27    - Unknown
28level: medium

References

Related rules

to-top