Automated Collection Command Prompt
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Sigma rule (View on GitHub)
1title: Automated Collection Command Prompt
2id: f576a613-2392-4067-9d1a-9345fb58d8d1
3status: test
4description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
8author: frack113
9date: 2021-07-28
10modified: 2022-11-11
11tags:
12 - attack.collection
13 - attack.t1119
14 - attack.credential-access
15 - attack.t1552.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_ext:
21 CommandLine|contains:
22 - '.doc'
23 - '.docx'
24 - '.xls'
25 - '.xlsx'
26 - '.ppt'
27 - '.pptx'
28 - '.rtf'
29 - '.pdf'
30 - '.txt'
31 selection_other_dir:
32 CommandLine|contains|all:
33 - 'dir '
34 - ' /b '
35 - ' /s '
36 selection_other_findstr:
37 OriginalFileName: 'FINDSTR.EXE'
38 CommandLine|contains:
39 - ' /e '
40 - ' /si '
41 condition: selection_ext and 1 of selection_other_*
42falsepositives:
43 - Unknown
44level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Cisco Collect Data
- Active Directory Database Snapshot Via ADExplorer
- Automated Collection Command PowerShell
- Azure Key Vault Modified or Deleted
- Azure Keyvault Key Modified or Deleted