Detectionhightest
Potential CommandLine Path Traversal Via Cmd.EXE
Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic4 selectors
detection:
selection_img:
- ParentImage|endswith: '\cmd.exe'
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'cmd.exe'
selection_flags:
- ParentCommandLine|contains:
- '/c'
- '/k'
- '/r'
- CommandLine|contains:
- '/c'
- '/k'
- '/r'
selection_path_traversal:
- ParentCommandLine: '/../../'
- CommandLine|contains: '/../../'
filter_java:
CommandLine|contains: '\Tasktop\keycloak\bin\/../../jre\bin\java'
condition: all of selection_* and not 1 of filter_*False Positives
Java tools are known to produce false-positive when loading libraries
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
087790e3-3287-436c-bccf-cbd0184a7db1
Status
test
Level
high
Type
Detection
Created
Thu Jun 11
Modified
Mon Mar 06
Author
Path
rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml
Raw Tags
attack.executionattack.t1059.003