Techniques
Sample rules
Potentially Suspicious CMD Shell Output Redirect
- source: sigma
- technicques:
- t1218
Description
Detects inline Windows shell commands redirecting output via the “>” symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as “hostname” and “dir” to files for future exfiltration.
Detection logic
condition: selection_img and 1 of selection_cli_*
selection_cli_1:
CommandLine|contains:
- '>?%APPDATA%\'
- '>?%TEMP%\'
- '>?%TMP%\'
- '>?%USERPROFILE%\'
- '>?C:\ProgramData\'
- '>?C:\Temp\'
- '>?C:\Users\Public\'
- '>?C:\Windows\Temp\'
selection_cli_2:
CommandLine|contains:
- ' >'
- '">'
- '''>'
CommandLine|contains|all:
- C:\Users\
- \AppData\Local\
selection_img:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe