Recon Information for Export with Command Prompt

Oct 18, 2023 · attack.collection attack.t1119 ·

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Sigma rule (View on GitHub)

 1title: Recon Information for Export with Command Prompt
 2id: aa2efee7-34dd-446e-8a37-40790a66efd7
 3related:
 4    - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
 5      type: similar
 6status: test
 7description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
10author: frack113
11date: 2021/07/30
12modified: 2022/09/13
13tags:
14    - attack.collection
15    - attack.t1119
16logsource:
17    product: windows
18    category: process_creation
19detection:
20    selection_image:
21        - Image|endswith:
22              - '\tree.com'
23              - '\WMIC.exe'
24              - '\doskey.exe'
25              - '\sc.exe'
26        - OriginalFileName:
27              - 'wmic.exe'
28              - 'DOSKEY.EXE'
29              - 'sc.exe'
30    selection_redirect:
31        ParentCommandLine|contains:
32            - ' > %TEMP%\'
33            - ' > %TMP%\'
34    condition: all of selection*
35falsepositives:
36    - Unknown
37level: medium

References

atomic-red-team/atomics/T1119/T1119.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

Recon Information for Export with Command Prompt

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1119/T1119.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Related rules