Threat Huntlowtest

Potential File Override/Append Via SET Command

Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign. Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly. Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt". The typical use case of the "set /p=" command is to prompt the user for input.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems), MahirAli Khan (in/mahiralikhan)Created Thu Aug 2265e4c134-ee52-4099-9e35-5e17a4b45c62windows

Hunting Hypothesis

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cli:
        CommandLine|contains:
            - '/c set /p='
            - '"set /p='
            - '>>*set /p=' # To catch edge cases where the attacker passes it via a "cmd /c"
    condition: all of selection_*