Detectionmediumtest

Potentially Suspicious CMD Shell Output Redirect

Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Tue Jul 12Updated Tue Mar 198e0bb260-d4b2-4fff-bb8d-3f82118e6892windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cli_1:
        CommandLine|contains:
            # Note: Add more suspicious locations as you find them
            # Note: The space from the start is missing to cover append operations ">>"
            # Note: We use the "?" to account for both a single and a double quote
            # Note: If you want to account for more spaces which is still a valid bypass option. Use a regex with "\s"
            - '>?%APPDATA%\'
            - '>?%TEMP%\'
            - '>?%TMP%\'
            - '>?%USERPROFILE%\'
            - '>?C:\ProgramData\'
            - '>?C:\Temp\'
            - '>?C:\Users\Public\'
            - '>?C:\Windows\Temp\'
    selection_cli_2:
        CommandLine|contains:
            - ' >'
            - '">'
            - "'>"
        CommandLine|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\'
    condition: selection_img and 1 of selection_cli_*

False Positives

Legitimate admin or third party scripts used for diagnostic collection might generate some false positives

References

Resolving title…

thedfirreport.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1218 · System Binary Proxy Execution

Related Rules

DerivedDetectionmedium

Recon Information for Export with Command Prompt

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

This rule was derived from the related rule - both detect similar activity with different scope.

SimilarThreat Huntlow

CMD Shell Output Redirect

Detects the use of the redirection character ">" to redirect information on the command line. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

8e0bb260-d4b2-4fff-bb8d-3f82118e6892

Status

test

Level

medium

Type

Detection

Created

Tue Jul 12

Modified

Tue Mar 19

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml

Raw Tags

attack.defense-evasionattack.t1218

View on GitHub