Threat Huntlowtest
CMD Shell Output Redirect
Detects the use of the redirection character ">" to redirect information on the command line. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection_cmd:
- OriginalFileName: 'Cmd.Exe'
- Image|endswith: '\cmd.exe'
selection_cli:
CommandLine|contains: '>'
filter_optional_idm_extension:
CommandLine|contains:
- 'C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe'
- 'chrome-extension://'
- '\\.\pipe\chrome.nativeMessaging'
condition: all of selection_* and not 1 of filter_optional_*False Positives
Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment
References
MITRE ATT&CK
Tactics
Techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
4f4eaa9f-5ad4-410c-a4be-bc6132b0175a
Status
test
Level
low
Type
Threat Hunt
Created
Sat Jan 22
Modified
Tue Mar 19
Author
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_redirect.yml
Raw Tags
attack.discoveryattack.t1082detection.threat-hunting