Potentially Suspicious CMD Shell Output Redirect

Severity: medium
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1218` System Binary Proxy Execution

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `selection_img`

or:
Image|endswith: '\cmd.exe'
OriginalFileName: Cmd.Exe

Stage 2: `1 of selection_cli_1`

or:
CommandLine|contains: '>?%APPDATA%\'
CommandLine|contains: '>?%TEMP%\'
CommandLine|contains: '>?%TMP%\'
CommandLine|contains: '>?%USERPROFILE%\'
CommandLine|contains: '>?C:\ProgramData\'
CommandLine|contains: '>?C:\Temp\'
CommandLine|contains: '>?C:\Users\Public\'
CommandLine|contains: '>?C:\Windows\Temp\'

Stage 3: `1 of selection_cli_2`

or:
CommandLine|contains: ' >'
CommandLine|contains: '''>'
CommandLine|contains: '">'
CommandLine|contains: 'C:\Users\'
CommandLine|contains: '\AppData\Local\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`>` corpus 2 (sigma 2) `">` `'>` `>?%APPDATA%\` `>?%TEMP%\` `>?%TMP%\` `>?%USERPROFILE%\` `>?C:\ProgramData\` `>?C:\Temp\` `>?C:\Users\Public\` `>?C:\Windows\Temp\` `C:\Users\` corpus 5 (sigma 5) `\AppData\Local\` corpus 8 (sigma 8)
`Image`	ends_with	`\cmd.exe` corpus 92 (sigma 92)
`OriginalFileName`	eq	`Cmd.Exe` corpus 32 (sigma 30, splunk 2)