detection.wiki

Detection rules › Sigma

Potential CommandLine Path Traversal Via Cmd.EXE

Severity
high
Author
xknow @xknow_infosec, Tim Shelton
Source
upstream

Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.003 Command and Scripting Interpreter: Windows Command Shell

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_img

or:
Image|endswith: '\cmd.exe'
OriginalFileName: cmd.exe
ParentImage|endswith: '\cmd.exe'

Stage 2: all of selection_flags

or:
CommandLine|contains: '/c'
CommandLine|contains: '/k'
CommandLine|contains: '/r'
ParentCommandLine|contains: '/c'
ParentCommandLine|contains: '/k'
ParentCommandLine|contains: '/r'

Stage 3: all of selection_path_traversal

or:
CommandLine|contains: '/../../'
ParentCommandLine: '/../../'

Stage 4: not 1 of filter_java

CommandLine|contains: '\Tasktop\keycloak\bin\/../../jre\bin\java'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • /../../ corpus 2 (sigma 2)
  • /c corpus 7 (sigma 7)
  • /k
  • /r corpus 3 (sigma 3)
  • \Tasktop\keycloak\bin\/../../jre\bin\java
Imageends_with
  • \cmd.exe corpus 92 (sigma 92)
OriginalFileNameeq
  • cmd.exe corpus 3 (sigma 3)
ParentCommandLineeq
  • /../../
ParentCommandLinematch
  • /c
  • /k
  • /r
ParentImageends_with
  • \cmd.exe corpus 13 (sigma 13)