← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potentially Suspicious CMD Shell Output Redirect

Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.

Quality
74
FP risk
Forks
0
Views
0
ATT&CK techniques
T1218
Rule sourcerules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml
title: Potentially Suspicious CMD Shell Output Redirect
id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
related:
    - id: aa2efee7-34dd-446e-8a37-40790a66efd7
      type: derived
    - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a
      type: similar
status: test
description: |
    Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location.
    This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
references:
    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2024-03-19
tags:
    - attack.defense-evasion
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cli_1:
        CommandLine|contains:
            # Note: Add more suspicious locations as you find them
            # Note: The space from the start is missing to cover append operations ">>"
            # Note: We use the "?" to account for both a single and a double quote
            # Note: If you want to account for more spaces which is still a valid bypass option. Use a regex with "\s"
            - '>?%APPDATA%\'
            - '>?%TEMP%\'
            - '>?%TMP%\'
            - '>?%USERPROFILE%\'
            - '>?C:\ProgramData\'
            - '>?C:\Temp\'
            - '>?C:\Users\Public\'
            - '>?C:\Windows\Temp\'
    selection_cli_2:
        CommandLine|contains:
            - ' >'
            - '">'
            - "'>"
        CommandLine|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\'
    condition: selection_img and 1 of selection_cli_*
falsepositives:
    - Legitimate admin or third party scripts used for diagnostic collection might generate some false positives
level: medium