Automated Collection Command Prompt
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Sigma rule (View on GitHub)
1title: Automated Collection Command Prompt
2id: f576a613-2392-4067-9d1a-9345fb58d8d1
3status: test
4description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
8author: frack113
9date: 2021/07/28
10modified: 2022/11/11
11tags:
12 - attack.collection
13 - attack.t1119
14 - attack.credential_access
15 - attack.t1552.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_ext:
21 CommandLine|contains:
22 - '.doc'
23 - '.docx'
24 - '.xls'
25 - '.xlsx'
26 - '.ppt'
27 - '.pptx'
28 - '.rtf'
29 - '.pdf'
30 - '.txt'
31 selection_other_dir:
32 CommandLine|contains|all:
33 - 'dir '
34 - ' /b '
35 - ' /s '
36 selection_other_findstr:
37 OriginalFileName: 'FINDSTR.EXE'
38 CommandLine|contains:
39 - ' /e '
40 - ' /si '
41 condition: selection_ext and 1 of selection_other_*
42falsepositives:
43 - Unknown
44level: medium
References
Related rules
- PUA - Mouse Lock Execution
- Automated Collection Command PowerShell
- Extracting Information with PowerShell
- Recon Information for Export with PowerShell
- Suspicious Unattend.xml File Access