Techniques
Sample rules
Potential CommandLine Path Traversal Via Cmd.EXE
- source: sigma
- technicques:
- t1059
- t1059.003
Description
Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
Detection logic
condition: all of selection_* and not 1 of filter_*
filter_java:
CommandLine|contains: \Tasktop\keycloak\bin\/../../jre\bin\java
selection_flags:
- ParentCommandLine|contains:
- /c
- /k
- /r
- CommandLine|contains:
- /c
- /k
- /r
selection_img:
- ParentImage|endswith: \cmd.exe
- Image|endswith: \cmd.exe
- OriginalFileName: cmd.exe
selection_path_traversal:
- ParentCommandLine: /../../
- CommandLine|contains: /../../